Stuxnet

Statements by DHS Secretary Janet Napolitano just knocked be off my 12-step program to stop Stuxnet blogging. She was quoted in a Computer World article saying:

“The key thing we learnt from Stuxnet was the need for rapid response across the private sector,” DHS Secretary Janet Napolitano told engineering students at the University of California, Berkeley. “There, we need to increase the rapidity of response, because in that area — as in several other recent attacks — we’ve seen very, very sophisticated, very, very novel ways of attacking. When you’re getting at control systems, now you’re really talking [about] taking things over, so this is an area of deep concern for us.”

Where was the DHS/ICS-CERT rapid response or even any helpful response? As I have harped on in this blog, two months after the world became aware of Stuxnet it took a small team in Germany to disclose that it targeted a specific process, how to determine if your process was the target, and that its real impact was on the PLC. DHS should be pointing the finger at itself and saying this is how we are going to change to provide timely and useful information to the community for the next Stuxnet – – leveraging that large investment the USG has made at INL and other National Labs.

The article’s author perpetuates the myth that DHS/ICS-CERT understood Stuxnet:

When Stuxnet hit, the U.S. Deparment of Homeland security was sent scrambling to analyze the threat. Systems had to be flown in from Germany to the federal government’s Idaho National Laboratory. In short order the worm was decoded, but for some time, many companies that owned Siemens equipment were left wondering what, if any measures, they should take to protect themselves from the new worm.

Not true. In short order the worm was not decoded by ICS-CERT/INL/DHS. They did not know it attacked a specific process. They did not know all the sophisticated 315 and 417 attacks until they got information from Ralph Langner and later from Symantec in September — two months after the attack.

Even today, nine months after Stuxnet, ICS-CERT is downplaying the PLC component in all of its bulletins. The S7 PLC’s are still vulnerable to a Stuxnet or Stuxnet derivative attacks, as are most other vendors’ field devices. Secretary Napolitano could have done the community a great service by stressing that vendors and asset owners need to add and implement basic security features to the systems that control the critical infrastructure.

Lest this be considered another ICS-CERT / DHS bashing blog, it was disappointing but not a complete surprise that ICS-CERT/DHS failed on Stuxnet. It was very different than anything the world had seen before. Until Stuxnet, ICS-CERT was primarily a vulnerability disclosure coordination group. Is it still or what has changed since Stuxnet? What additional resources do they have to investigate exploit code and what policy changes do they have to put out useful information? The bulletins that have come out in recent months point to a continuation of a primary focus on coordination rather than a healthy resource allocation on understanding the identified vulnerabilities.

Now back to step 1 in the program, but it may not last long because ICSJWG is next week in Dallas.

Image by annnna_