I’ll start off by saying don’t believe all the FUD that’s been going around, we all know how many members of the media area when they get hold of a story, especially one that can have a date in the future to speculate on.
That said, there are definitely some interesting things going on with the worm, but at the heart of it, that’s all it is another worm albeit one with a sophisticated command and control network. There are some good write-ups out there to get a basic understanding and SRI has a very good paper if you’re interested in the technical details.
So how does this worm affect the world of control systems? Honestly, it shouldn’t, but whether you like it or not it’s a real world test of a few different policies that you should have in place. First one, firewalls, 135/tcp and 445/tcp should be blocked, that’s the initial vector that this worm uses, exploit the MS08-067 vulnerability that we talked about on patch day. I won’t say that there’s no good reason for you to have these ports coming into your SCADA network, but I haven’t heard one.
Next up, mobile computers that are uses on both the control system network and other networks. File and print sharing might be blocked at the firewall, but if it’s enabled and all your systems are unpatched then you may well have a problem. Not only will this worm, and others like it try to use the MS08-067 vector, it will also try to access SMB shares using a long list of common/poor passwords. Two tests here, rre your SCADA admins allowed to have laptops connected to the corp network too? How about home, coffee shop, or hotel networks? These systems should be the first ones patched, and should be treated more suspiciously than others. Strong password policies should be common knowledge by now, and I would hope that none that the worm is using are protecting anything as important as access to a control system.
Sneaker net, the silent killer. Infected systems also infect removable devices that it uses, so make sure that USB drive that you’re using to move data back and forth isn’t already spreading badware. Disable autorun, and be careful of sharing media with others, and between systems, and please don’t plug thumbdrives you’ve found somewhere into the control system network, you’re effectively sharing files with every other system that it’s been used in, and it might not cause problems on this one, but you’re asking for trouble.
Lastly, if you haven’t done any of these, and you find yourself infected, good egress filtering should make the infection rather painless. Outbound connections should be denied by default, and those that are enabled should have a very good reason for being there.
In the mean time, there’s a lot of ways to tell if you’ve got a problem. Nmap would be my tool of choice if you’re looking for one. So in the end, if you’re following good practices you don’t have anything to worry about, and if you’re not then you should have started worrying about this back in November.