Security researchers discovered Stuxnet in 2010, and it has since become one of the most well-known malware campaigns in history. The attack was developed to damage programmable logic controllers (PLCs) and supervisory control and data acquisition (SCADA) systems using four zero-day vulnerabilities in Microsoft Windows. What has the cybersecurity community learned from this incident?
SCADA Security Lessons From Stuxnet
Nowadays, not even the most secure plants are isolated from threats. In the case of Stuxnet, the gap between the isolated plant and open infrastructure was bridged by a USB key.
But what does Windows have to do with SCADA? SCADA systems are no longer isolated boxes running on proprietary protocols. Today, they can be accessed by a human/machine interface (HMI), either integrated with the rest of the IT environment or simply using classic IT. Therefore, defending SCADA is about protecting everything that surrounds the system.
Protecting OT to Secure IT
SCADA systems are an important but severely limited part of the IT arsenal required to provide a service. In the case of a nuclear plant, many devices belong to the operational technology (OT) environment, in addition to those that correspond to IT. In fact, cybercriminals often reach IT assets through holes in OT systems. This enables them to easily discover vulnerabilities without the technical know-how or pricey equipment required to make an exploit out of the box.
OT consists of classic IT, SCADA, and many sensors and other devices. For this reason, OT is often included in discussions about the Internet of Things (IoT). The difference is that OT is always managed by someone who is responsible for security. In the case of IoT, there is very little accountability because devices such as smart refrigerators and cameras are often designed and operated by parties that have no stake in security whatsoever.
Learning From History
It is critical to protect your OT to keep cybercriminals from poking through, but don’t forget to protect your IT as well. It’s equally important to secure all IoT devices throughout the design phase. If IT professionals can learn from history, they can prevent a catastrophic incident like Stuxnet from befalling their organizations.
Read the IBM X-Force research report: Security Attacks on Industrial Control Systems