I’ve been disinterested in the Flame story and then the anti-Flame backlash. There isn’t any data yet that makes it more pertinent to the ICS world than any other non-ICS incident. Not that it isn’t a fascinating piece of malware worthy of investigation based on its size and apparent targeting.
But since your non-technical boss is probably hounding you about whether Flame will shut down your SCADA or DCS, why not come up with an answer that may help.
The best answer comes from Mikko Hypponen of F-Secure, an anti-virus vendor, at Thinking Digital:
“We realized, I guess to our horror, that it actually has been going around for at least two years, and basically every single anti-virus product has been missing it for the last two years.”
Mikko goes on to say that anti-virus also missed Stuxnet for about two years as well.
There are still vast numbers of critical infrastructure ICS that believe a DCS or SCADA security program consists entirely of a perimeter firewall (often with a porous ruleset) and anti-virus. Full stop. This is a very public example of anti-virus failure to stop malware — with even anti-virus vendors admitting the failure.
Image by Velo Steve