Strategic Security Survey: Global Threat, Local Pain
|(click for larger image and for full photo gallery)|
NitroView is NitroSecurity's security information and event management (SIEM) product, used for watching enterprise networks, applications, and databases in real time for anomalous events. What's new is that NitroView will gain the ability to monitor operational data collected by OSIsoft's PI System, used by about 65% of the control system market.
To date, unlike enterprise networks, control system environments have had few -- if any -- information security controls. Instead, operators focused on monitoring operational parameters or set points like temperature and pressure. The chance of a virus or worm "crossing over" from an enterprise network to an industrial control system seemed remote, at best.
"Stuxnet turned that upside down," said Eric Knapp, director of critical infrastructure markets at NitroSecurity. "It infected the routable Windows or Linux side, and used that to directly infect programmable logic controllers, and directly injected malware into the ladder logic, the full contents of which we still don't know."
Interestingly, simply searching for Stuxnet can create problems. "It infects programmable logic controllers (PLCs), and you can't run antivirus on them, so the only way to see if the PLC is infected is to plug a controller into it, and see if the logic has been altered," said Knapp. "But if you plug in a controller and it's infected and you don't know it, then you've just infected the PLC."
As that suggests, this critical infrastructure attack likely isn't the work of script kiddies. "The code is sophisticated, incredibly large, required numerous experts in different fields, and [is] mostly bug-free, which is rare for your average piece of malware," according to Eric Chien, technical director of Symantec Security Response, which on Friday released an in-depth Stuxnet analysis. Furthermore the creators, ultimate purpose and target of Stuxnet remain unknown.
When it comes to industrial control system security, however, Stuxnet isn't the only game in town. "You can't talk about Stuxnet without talking about zero-days, and you can't watch for a zero-day because you don't know what it looks like," said NitroSecurity's Knapp. "But what you can do is understand what should be happening and look for anomalies. We're able to do dynamic baselines on anything we pull into our SIEM, and control systems are no different."
In fact, control system security turns out to be somewhat easier to monitor than enterprise networks. "Everything is extremely well defined," he said. "If a set point changes that adjusts temperature or pressure, it changes at known times with very well-known patterns. If we detect an anomaly in that, the same thing happens over and over again, all of a sudden something different happens, we can flag that."