Companies infected by Stuxnet should not feel bad, even systems secured to industry best practices had little chance to dodge the pernicious programme, according to a recent report by Tofino Security.
In the paper, "How Stuxnet Spreads - A Study of Infection Paths in Best Practice Systems", three researchers concluded that the worm's multitude of infection vectors and companies' need for interconnectivity between control systems makes it nearly impossible to defend against a well-constructed, multi-pronged attack such as Stuxnet.
Even systems and networks secured according to the best practices set by Siemens, the manufacturer whose software was targeted by Stuxnet, are vulnerable to attack by the program, says Eric Byres, chief technology officer for Tofino Security and one of the authors of the paper.
"We know what it does to a poorly secured system, it eats it for lunch," he says. "We now know what it does to a well-secured one, it eats it for lunch too."
Stuxnet is now widely acknowledged as a state-sponsored cyberattack against Iranian nuclear facilities, specifically targeting computers running Siemens SIMATIC Process Control System 7, which experts have maintained is used in Iran's uranium processing plant. The program propagates slowly among computers by spreading to USB flash drives, spreads more quickly via network shares and by exploiting several vulnerabilities, including three that were unknown at the time of the original attack.
Byres, along with Andrew Ginter of Abterra Technologies and Joel Langill at SCADAhacker.com, found that multiple pathways exist to both infect targeted systems and to relay communications back to command-and-control servers managing the attack.
"This is a really complex system and if you think that you are going to air-gap it or focus on a single facet and fix it, you are crazy," Byres says.
Many companies have focused on the worm's ability to spread via USB flash drives. Malicious programs spreading through infected such devices have become a major problem for corporations, because of employee curiosity. In penetration tests conducted by Leviathan Security, 8 out of 10 employees that found a USB drive plugged it into a computer. All of those workers then went on to open up a spreadsheet labelled "LayoffNotice.xls," says Frank Heidt, CEO of Leviathan.
"You can tell your people, 'Hey, don't plug in USB sticks into your network,' but that is antithetical to human nature," Heidt says.
Byres warned that companies should not focus on any one vector used by Stuxnet, but apply defence-in-depth doctrine to better defend their systems. Moreover, the researchers concluded that companies will invariably be infected with increasingly sophisticated threats, making the detection and minimisation of the damage from such an infection paramount.
"The industry needs to accept that the complete prevention of control system infection is probably impossible," the report states. "Instead... the industry must create a security architecture that can respond to the full lifecycle of a breach."