Stuxnet is one of the most complex malware threats observed to date. Here's how to protect critical infrastructure from the next Stuxnet to come along.
Implement and enforce device control policies
A feature of advanced endpoint protection solutions, device control provides administrators with the ability to monitor and control the behaviour of devices by creating and enforcing related policies. Because industrial control systems are often disconnected from the Internet and overall corporate networks for security reasons, thumb drives are frequently used to transfer data to and from such systems and also to implement patch updates. Stuxnet authors knew this and the spread of the threat relied on this fact.
In fact, infected thumb drives carried into organisations by unwary contractors was likely one of the initial propagation methods used to spread the threat. Device control policies can control what files and applications are allowed to run off thumb drives and, if properly set, will prevent malicious executable files, like those used by Stuxnet, from running on targeted systems.
Install, and if necessary lobby for the ability to install, host-based intrusion prevention systems
Installing intrusion prevention software directly on industrial control systems is another effective way of preventing a Stuxnet infection. Such a host-based intrusion prevention system would watch for suspicious behaviour taking place on the actual industrial control system and force the lockdown of the system when called for so new malware cannot be injected.
Many industrial control system developers are reluctant to load third-party software that they will have to validate and support, but Stuxnet demonstrated the game has changed and greater co-operation is warranted.
Ensure your tempo of software certificate revocation updating is appropriate
In order to further evade detection and bury itself deeper into targeted systems, Stuxnet used two stolen digital certificates, one from JMicron and another from Realtek, to try and make itself appear as a legitimate program. Both of these certificates were revoked, but if a system were not kept up-to-date in terms of certificate revocations, the stolen certificates used by Stuxnet would have still serve as an effective deception. There is no reason to think that future threats will not also attempt to exploit compromised certificates.
Use endpoint management software to ensure adequate patching procedures
As previously mentioned, Stuxnet - like many targeted and non-targeted attacks - used previously unknown software vulnerabilities to gain access to susceptible systems. Security updates were issued to fix the vulnerabilities exploited by Stuxnet, but unless the patches were actually applied, systems were as vulnerable as ever.
Endpoint management solutions can help manage patch updates and ensure they are applied properly. This is especially important when it comes to patches issued out-of-band, as these updates can often be overlooked because they fall outside the routine patch schedule.
NEXT PAGE: Capitalise on effective data loss prevention solutions