Smart grid security: Beating Stuxnet to death (before it beats us)

.

If it feels like I'm belaboring the importance of understanding Stuxnet, it's because, IMHO, it's a threat well worth belaboring. Stuxnet is Mother of all industrial and utility sector cyber wake-up calls. And if you're an asset owner asleep at the wheel, it could be your momma, and your daddy too.

F R E S H  S H E E T See what else is new on the site today … . Smart grid futures: Will science make the smart grid unnecessary? . Transmission is getting smarter with advanced power electronics . Smart meters: Why a positive business case is not enough (and what utilities need in addition) . EPRI robot does the legwork in LED lighting study on energy efficiency   From the wires … BPL company IBEC acquires Grid2020 . EV coalition announces five new members . SRP will use Q1 Labs security intelligence platform for smart grid security . Smart Grid News Talk forums are now live ... join the discussion!

As I mentioned in a previous Stuxnet rant, good security tools and best "defense in depth" practices are a less-than-complete defense:

No matter how solid an org's security policies, no matter the level of adherence to defense in depth principles and security best practices, no matter how much security technology was deployed and how up-to-date it was kept, it is very likely that Stuxnet would have found a way in.

Now here's a real expert, Andrew Ginter of Industrial Defender on the excellent Findings from the Field blog, laying out the harsh reality of the Stuxnet wake-up from a (NERC and DHS) security standards point of view:

.

A site protected with whitelisting/HIPS ... would have been CFATS or NERC compliant, and would have been protected from Stuxnet. Unfortunately, I am aware of only a handful of such sites, and no HIPS protection is mandated by NERC or CFATS. Sites with only antivirus deployed are seen by today’s regulations as having adequate malware protection, but that protection would not have prevented Stuxnet compromises in the first year the worm circulated.

If you're new to whitelisting, here's a ZDNet blast from the past in 2008, featuring Microsoft security guru Scott Charney making the case that whitelisting is the future for most/all successful cyber security strategies. From my understanding of this approach, it's a huge step forward from where many orgs are today. But I also recall hearing Symantec's reverse engineer and Stuxnet expert Liam O' Murchu saying he thought Stuxnet could/would potentially morph to circumvent whitelisting defenses. Yikes.

Nevertheless, NERC and NERC CSO Mark Weatherford have been busy issuing guidance to utilities on how to best combat Stuxnet and Stuxnet-like threats. We're not privy to the actual details of that guidance, but you can gain a little insight into NERC's actions here and here.  I'm not sure it's a Stuxnet defeater, but I for one am quite happy to hear Weatherford calling for more security in software development and sourcing processes.

Regarding preparations for future versions of Stuxnet targeting electrical infrastructure, forget compact fluorescents for the moment. Got midnight oil? Start burning it.

Much improved sub-optimal defenses and recovery plans are vastly more desirable than what we've got in the field today.

Andy Bochman and Jack Danahy are authors of the Smart Grid Security Blog. 

You may also want to read …

Surviving Stuxnet (and its offspring)

Stuxnet worm poses real threat to SCADA

Smart grid software security: an expert's perspective

NIST releases guidelines for smart grid cyber security

Stay connected with SGN …

Drop by our Smart Grid News Talk forums

Get LinkedIn with Jesse

Join Smart Grid News on Facebook

Follow us on Twitter

Try our RSS feed

Get our email digest