We are hearing more and more that a particular security control is inadequate or not worthwhile because “it would not have stopped Stuxnet”. This has come up in numerous comments on this blog and in other places, such as my friend Jake Brodsky’s blog entry. If we are not careful, this straw dog will stall progress on a lot of worthwhile security controls.
As Ralph Langner and many others have documented, Stuxnet was a complex, multi-faceted attack with a wide variety of exploits. Given the level of effort, especially in understanding the process logic and writing new ladder logic code, it is likely that Stuxnet’s creator would have developed or purchased additional exploits if necessary. So why should we expect any single administrative or technical security control to stop Stuxnet?
Yes, you could secure the PLC, but then a compromised authorized engineering workstation (EWS) could still change the program. You could secure the EWS, but then an attacker could attack the PLC directly … we could go on and on with these scenarios.
The community could throw up its collective hands and say it is impossible to stop Stuxnet so let’s only focus on securing the perimeter. I hope this won’t happen. Most of the proposed security controls will not stop Stuxnet, but they will stop a less skilled and motivated attacker who has gained access to the ICS network. It is pathetically easy to compromise a process today if you gain access to the control system network, often without even trying with denial of service during reconnaissance and enumeration.
So rather than judge every security control against Stuxnet, let’s pull out the threat models and look at what threats will be addressed by various administrative and technical security controls. Some of the solutions will be new security features in the vendor products; others may be add-on security software and hardware; and administrative security controls should not be forgotten. There is a mix of security controls that can reduce risk to an acceptable level and for many organizations that level may still allow an attack with a Stuxnet level of effort and ingenuity to succeed.
Image by Dominic Hargreaves