Stuxnet is one of the most complex malware threats observed to date. Here's how to protect critical infrastructure from the next Stuxnet to come along.
(This vendor-written piece has been edited to eliminate product promotion, but readers should note that it's likely to favour the submitter's approach.)
While it has been disturbing to see internet threats become driven by financial gain, the Stuxnet virus signals the arrival of something more worrisome: a new class of threat designed to seize and control critical infrastructure.
Stuxnet is one of the most complex threats observed to date. Not only did it utilise interesting antivirus evasion techniques and complex process injection code, it also pioneered new frontiers in virus design, including the use of four separate zero-day vulnerabilities and the first ever rootkit designed specifically for programmable logic controller systems.
Most notably, however, is the fact that it was designed to reprogram industrial control systems - computer programs used to manage industrial environments such as power plants, oil refineries and gas pipelines. It is the first known malware designed to specifically target such systems with the goal of impacting real-world equipment and processes.
Stuxnet's ultimate objective was to alter the speed at which certain frequency converter drives - power supplies that control the rotational speed of electric motors - operated. Stuxnet only targeted systems with drives that functioned at a certain frequency, most notably, gas-centrifuge-based systems used in uranium enrichment. Altering the frequencies of the drives, as Stuxnet is designed to do, will effectively sabotage the enrichment procedure, likely damaging the affected centrifuges in the process.
Much of the threat posed by Stuxnet has been neutralised, but this epochal change in the threat landscape still raises many troubling questions. Enterprises that run or manage critical infrastructure have much to learn from Stuxnet. For those charged with the management of industrial control systems, implementing specific recommended defenses can spell the difference between a safeguarded and properly functioning system or an infected system.
What follows is a breakdown of best practices to help erect a defence-in-depth barrier to this new type of threat.
Leverage reputation-based detection techniques
Traditional protections, such as signature-based antivirus, are the most common method of defending against the initial infection stage. Unfortunately, many modern pieces of targeted malware rely on mutated code that is altered before each new attack and tested against antivirus solutions to ensure it will evade detection.
Some malware even utilises self-mutating code that makes it all but invisible to traditional signature-based protection. In addition, signature-based detection is ineffective at identifying brand new, never-before-seen malware. Such was the case with many of the initial Stuxnet infections.
Look for a reputation-based detection system that leverages massive databases containing demographic information on virtually all good and bad files in existence to single out unknown and likely malicious software applications.
Take advantage of managed security services
Managed security services are offered by many security vendors. The goal is to shift the burden of security operations to a qualified vendor. In the case of Stuxnet, managed security services would, for example, watch for downloaded data traffic carrying .LNK files, which could potentially be related to one of the now patched zero-day vulnerability exploits used by the threat.
NEXT PAGE: More best practices
- Best practices help erect a defence barrier
- More best practices
- Capitalise on effective data loss prevention solutions