Stuxnet worm provides a glimpse into the future of industrial quality control and risk management
Thursday, September 16th 2010 @ 12:21 AM (not yet rated)
Call me a pessimist, but in the not-too-distant future, I can see recalls of products like cars, heavy machinery, prescription drugs and every-day appliances in quantities that are 10 times greater than what we see today. It could make the Toyota recalls or the iPhone 4 antenna fiasco of 2010 look like a walk in the park for the quality assurance, legal and public relations departments of future large manufacturers. People who know me are pinching themselves because I’m normally quite an optimist. But the trend I see in the article discussed below has me worried.
A new direction for malware?
The Stuxnet worm is showing us the direction that malware may well be headed. In fact, this could be a whole new market for anti-malware vendors. But it could be a long time before manufacturers grasp the severity of the problem and take action. Click HERE for the story on the Threatpost.com website that details how the Stuxnet worm works, and how it was brought under control.
When the computers you use to control manufacturing processes come under the control of hackers who have the means and motives to reprogram your production lines, you should be looking at the possible effect on safety and corporate liability. Most likely, that’s the hacker’s end goal – to put you out of business, or at least set you back in terms of market share. It may be a competitor, or it may just be a disgruntled customer or employee.
What's new about this attack?
Stuxnet first appeared as a targeted attack on Siemens manufacturing plants, and has the capability of reconfiguring their “Programmable Logic Controllers” – the computers that provide precision control of machinery and processes. You could find these kinds of controllers in almost any manufacturing plant in any part of the world.
The attack was very sophisticated, providing a reconnaissance phase and a reprogramming phase. For some reason, somebody wanted to put Siemens at a disadvantage in a new way. They could probably have caused as much damage to the corporate computer networks that handled the company’s financial transactions or even gone after intellectual property, as other attacks have done before on major corporations like Google and Adobe. But this attack showed a desire to affect the output of the manufacturing process of a particular company. It will be a very different landscape if more hackers start to build on what this attack was able to do.
In its first appearance, Stuxnet may have been discovered and shut down before much damage was caused. But, it demonstrated a very large potential vulnerability among manufacturing companies. If a process controller can be reprogrammed to put a deliberate defect into a single aspect of a single component of a mass-produced product in a particular way, it could be extremely costly to the manufacturer. It could be like planting a time bomb in every vehicle that causes safety systems to fail in predictable ways that may not have been detected during factory testing. In fact, the software and configuration data going into many of these products is clearly a potential target of attackers wanting to cause damage to the company. But it could be even harder to detect an improperly tempered piece glass or steel aircraft part that may have a much smaller safety margin than a properly manufactured component.
What should manufacturers be doing to prepare for these kinds of attacks?
For this reason, manufacturers should be very concerned about:
- Isolating or limiting access of computers in manufacturing areas from connecting to networks and removable media, except under controlled conditions;
- Doing regular and secure “image backups” of computer systems in manufacturing areas;
- Doing frequent restores from clean images on those systems to flush out any existing infections that have not been detected yet;
- Doing frequent scans of systems with anti-malware tools (which must use a strict updating procedure as well, to avoid introducing malware to the manufacturing environment themselves); and
- Reviewing, approving, and auditing all system configuration changes frequently to detect any anomalies in the production processes
A shift to improving risk management and quality in the short term could pay off
We can no longer assume that just because a product passed the tests in the factory that it is safe. Neither can we assume that these attacks are infeasible or unlikely.
Look at it this way. Manufacturers can either crank up the Risk Management and QA teams now, or crank up the PR and Legal teams later.
| Share | My live security awareness webinars are a quick and affordable way to provide your entire staff with professional quality security awareness training and education - whether it's general training or for specific teams or industries. I offer group rates and can tailor content to your specific needs. Please call or email me at the coordinates below, or CLICK HERE to see my training webinar catalog.
Scott Wright
The Streetwise Security Coach
Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html
Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec
To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
 |
