When Worlds Collide Part II – More on Stuxnet
After submitting the first blog on Stuxnet, I’ve been inundated with people who “get it.” One person in particular (Joe Weiss), highlighted for me a point to emphasize to really drive home to some folks who “need to get it.”
StuxNet and other things don’t just go after SCADA (as it has evolved in most of the reviews): this is not an IT issue. StuxNet goes after the PLC, and it is targeted at altering this. This is, in effect, an IT exploit targeted at a vital system that is not an IT system.
The people who need to “get it” here are engineers and operators and management who aren’t used to thinking of their manufacturing control systems as exposed to a range of virulent IT threats. This is targeted, it’s powerful and has the potential to wreak havoc…and it’s really a harbinger of things to come.
This is what it means to have worlds collide: the malware that used to threaten your PC can now go after your assembly line, and a new audience has to engineer and streamline operations to take this into account in their architectures, planning, implementations and operations.
[...] new piece from Sam Curry makes a valid point about StuxNet and the vulnerability it reveals: The people who need to “get [...]
The weak point in any security and compliance regime has always been the human factor.
Companies which are serious about security should use only secure USB keys, of course, and should have a good endpoint protection regime, but they should also have a culture of compliance. In too many companies the general attitude to security and compliance is that it’s a nuisance, an impediment to productivity. This is not new; in the old days people would prop the fire door open when they went out for a smoke, now they’ll bring software or music in on removable devices written in an uncontrolled environment. It’s all the same problem: convenience v. “the rules”, especially when the direct (to them) consequences of failure to follow the rules are not obvious to those breaking them.
Companies can help here. They can educate staff and support them in securing their own domestic IT environment against threats – the home PC connected via VPN or from which data and email is moved to and from work, is a soft target. It should not be.
My company provides, as part of its license with our antivirus vendor, free and full access to endpoint protection software for my own computers, and I use it. But they don’t provide access to SaaS threat screening proxies for web surfing – perhaps they should. Or maybe that’s an impossible dream in a world where a significant minority will want to use their home computers for things they would very much rather their employer did not know about, and that includes accessing a lot of sites that those threat protection sites might find troublesome. Is there much appetite in the corporate world for ensuring that if your staff want porn and warez at home, it is at least malware-free porn and warez? Maybe that’s the real disconnect here. “Just say no” has a pretty poor track record when stacked up against human desires, and maybe the real need is for companies to recognise and work with that.
http://www.chapmancentral.co.uk/blog/2010/09/stuxnet/
Imagine what the implications are when this activity as with all others since Morris worm, goes into a more available mode people buying kits to activate this and target anything from mom and pop shops to major corporations, from espionage down to ex-boyfriends cars…
What next, security is a process people, its not a point in time. And it is getting more affordable. We are getting better at sharing solutions. Thanks Sam!