Stuxnet Update

Those of you who follow me on Twitter® (http://twitter.com/pjcoyle) will have noted that yesterday I re-tweeted an announcement from Industrial Defender that they had updated their White Paper on the Stuxnet worm (ID calls it a worm, others have called it a virus or a Trojan). That re-tweet was based upon my experience with their past information. Late last night I finally had a chance to read their updated paper and I certainly was not disappointed.

I have frequently found that white papers by technology companies have been little more than advertising copy for products they sell. Industrial Defender is in the business of providing cyber security services, and there is a brief mention of two of their products in this document, but it hardly counts as real advertising as there are no claims about how well their product does against other such products available in the market.


The White Paper does provide a very good technical discussion of how Stuxnet works and propagates. It outlines what is known about the history of the malware and the response of both Microsoft and Siemens to problem. While the discussion is technical, you don’t have to be a systems engineer to understand the points being made. Anyone with any significant experience in SCADA operations (not necessarily programming) should be able to follow the discussion without significant problems.

Most importantly, the paper provides a detailed discussion about how facilities can protect themselves from future problems with Stuxnet and outlines the types of steps that must be taken to safely remove a Stuxnet infection. Probably the most important piece of advice in the later discussion is to closely involve your control system vender in any removal operations.

The current version of the White Paper is a 21 page .PDF file which downloads quickly. You do have to register with Industrial Defender to be able to complete the download, but the process allows you to opt out of receiving sales literature if you so desire. The download page does provide access to a number of other Industrial Defender information products, including two webinars on the Stuxnet problem.

I think that anyone with a Siemens industrial control system should certainly download and spend some time studying this white paper. Industrial Defender has done an excellent job of preparing and presenting this information. It is certainly a valuable service to the control systems security community.

Cyber Security Article

Twitter® is becoming a very valuable tool for finding articles of interest on the Internet. Many writers are posting notices of their articles on Twitter (like I have been doing for over a year now) and other writers and info gatherers re-tweet those notes. That’s how I found this article on ChemicalProcessing.com. It is an interesting look at cyber security for industrial control systems at CFATS facilities written by Andrew Ginter, of Industrial Defender. The article provides some valuable advice for dealing with Risk-Based Performance Standard 8, Cyber Security. It provides a list of 13 “Key Implementation Challenges” with a brief discussion of each. They range from having a security policy to using a layered approach to security design. There are a couple that deserve special mention and I recommend reading the author’s description:

Awareness and training; Monitoring and incident response; System development and acquisition; and Interconnectivity of critical and non-critical systems.

Oh, yes; I was particularly impressed that Andrew discussed “Business continuity and disaster recovery” and did not resort to using the current buzz word, ‘Resiliancy’. He does note that a good “cyber-security posture should include planning to ensure continuity of operations and facilitate restoration of all critical cyber assets”. In my mind this disaster recovery is especially important when the facility cyber assets can potentially control the release of toxic chemicals, prevent mixing of incompatible materials, or maintain safety-critical storage conditions. If these 13 challenges were all that were contained in this article it would be a valuable information source for CFATS security managers. But Andrew provides a special bonus in a side-bar entitled: “Field Surveys Provide Troubling Findings”. He provides a summary of cyber security information that Industrial Defender has compiled from critical infrastructure assessments that they have done over the last couple of years. The three “widespread cyber-security issues” will point cyber security managers at important potential flaws in their security posture that are well worth looking at. I certainly recommend that all CFATS security officers and cyber security officers read this informative article. Once again, a single article will not make you a cyber security expert, but it will give you an appreciation of the potential problems and allow you to talk to a real expert without feeling foolish.