Wednesday, October 17, 2012

ICS-CERT Updates Shamoon JSAR

Yesterday DHS ICS-CERT, in conjunction with US-CERT, issued an update of the Joint Security Awareness Report on the Shamoon malware. While this information stealing tool is suspected as being responsible for shutting down the Saudi oil company IT network, there has been no mention of it being used, or being specifically capable of being used, against control systems.

New Information

The new information included in the Update (on page 2) are three new entries in the ‘Tactical Mitigations’ section of the JSAR. The first is a ‘no duh’ entry, the second is somewhat useful, and the third is somewhat confusing. In general these three additions hardly make issuing an update worthwhile, particularly for the ICS community.

Drill Your Recovery Plan

I did say that this was a ‘no duh’ mitigation strategy, but to be fair ‘drill your recovery plan’ is one of those common sense strategies that probably doesn’t get done much. I’m not sure that simply listing it in a JSAR will help that. Perhaps an explanation of why any plan must be practiced (drilled) to be effective will help.

The military probably has the best experience in developing, perfecting and executing contingency plans. They know from bitter and painful experience that plans inevitably have short comings due to assumptions made in the planning process. Most often these assumptions are not clearly understood and frequently not even identified.

Practicing a plan will usually point out some of the shortcomings in the plan that are a result of inaccurate or incomplete assumptions. This does require, however, that after the plan has been exercised, that a clear and complete analysis has to be made of the areas where the plan did or did not work. And then the plan has to be modified to correct the deficiencies and build on what was done right.
Finding these mistakes during an exercise is much less painful and makes them easier to correct than if they are discovered for the first time while responding to the real thing.

No comments:

/* Use this with templates/template-twocol.html */