DHS-CERT Stuxnet Mitigation

Late yesterday DHS-CERT posted a new report on their Control Systems Security Program web site that provides information on mitigation efforts for the Stuxnet malware (I really wish someone would come up with a standard term to describe this bugger; malware, Trojan, worm, and virus have all been used by various writers and organizations).


Mitigation Efforts

The ICS-CERT report suggests installing two Microsoft updates (on control systems only after off-line testing has confirmed the safety of the update on the system). The first is the one that Microsoft released earlier this month (MS10-046) specifically for the new vulnerability associated with Stuxnet. They also recommend installing an older Microsoft update (MS08-067; with the same control system caveat), noting that: “Stuxnet malware also references a Microsoft vulnerability that was addressed in MS08-067 g, although it is not yet clear how this vulnerability is used.” (pg 2)


Other than installing updated anti-virus software or the appropriate updates for existing AV software (with the same control system caveat), the only other advice ICS-CERT provides is: “If Siemens SIMATIC WinCC or STEP 7 software is running on an infected system, then Siemens Customer Support and ICS-CERT should be contacted.” (pg 3) This is probably very solid advice.

New Stuxnet Information

The above recommendations (with the exception of the second MS update) are old news and have been covered extensively in the cyber security press. The new information has little to do with mitigation efforts; it is the reporting about the new discoveries that are being made about Stuxnet that is much more interesting. The Stuxnet summary on the first page should be read by everyone in the industrial control system (ICS) community. I would like to call everyone’s attention to the following quote (pg 1).

“With approximately 4,000 functions, Stuxnet contains as much code as some commercial software products. The complex code is object oriented and employs many programming techniques that demonstrate advanced knowledge in many areas, including the Windows operating system, Microsoft SQL Server, Siemens software, and Siemens PLCs. The malware also employs many advanced anti-analysis techniques that make reverse engineering difficult and time consuming.”

If this doesn’t make ICS managers just a tad bit concerned, I don’t think they are paying attention. This is a sophisticated tool designed to attack industrial control systems. We don’t know where it came from so we don’t know why it is being used. The limited numbers of folks working for ICS-CERT are working on this as are a number of people in the industry. I really think that it is time for ICS-CERT to convene a high-level conference to coordinate the study of this weapon system. We need to know a whole lot more before our systems can be adequately protected.