We have been focusing on the Duqu targeting in an attempt to determine what risk, if any, Duqu posed to SCADA and DCS owner/operators. In the last 24 hours there has been more confusion and then some clarity with new bulletins from ICS-CERT and Symantec.
Eric Chien of Symantec blogged that they were changing the terminology of who was targeted by Duqu from Industrial Control System Vendor to Industrial Industry Manufacturers. While attempting to clarify the issue, in some ways this just made matters worse. Fortunately some of the Symantec team were working today and helped clarify the issue. Based on discussions with Symantec, this is how I would characterize the targeting:
Some of the companies affected or targeted by Duqu include the actual equipment that an ICS would control such as motors, pipes, valves and switches. To date, the vendors that make the PLC, controllers and systems/applications found in control centers are not yet affected, although this information could change as more variants are identified and these vendors look more closely at their systems.
ICS-CERT also issued Update B of their Alert on Friday. This update was unequivocal as seen in this key paragraph:
ICS-CERT, in close coordination with Symantec and the original researchers, has determined after additional analysis that neither industrial control systems nor vendors/manufacturers were targeted by Duqu. In addition, as of October 21, 2011, there have been very few infections and there is no evidence based on current code analysis that Duqu presents a specific threat to industrial control systems.
This is in line with the explanation and description of the targeted companies by Symantec. Of course this can change if more affected companies are discovered. There still is the question of whether the author of Duku has any relationship with the Stuxnet creators, but this is of lesser importance for owner/operator risk management.
Image by Jeffrey