The security world is agog over new malware that has been spreading via USB storage devices and is programmed to steal data from systems running specific software used in utilities and industrial manufacturing plants.
The worm, dubbed Stuxnet, propagates by exploiting a hole in all versions of Microsoft Windows in the code that processes shortcut files, ending in “.lnk,” according to a Microsoft Malware Protection Center blog post. Merely browsing to the removable media drive using an application that displays shortcut icons, such as Windows Explorer, will run the malware without the user clicking on the icons. The worm infects USB storage devices or other removable storage devices that are subsequently connected to the infected machine. Those USB storage devices then infect other machines much like the common cold is spread by infected people sneezing into their hands and then touching door knobs that others are handling. Symantec researchers said they are seeing between 8,000 and 9,000 infection attempts a day.
Once the machine is infected, a Trojan looks to see if the computer it lands on is running Siemens’ Simatic WinCC software. The malware then uses a default password that is hard-coded into the software to access the control system’s Microsoft SQL database.
Just Say No To Windows?
Now it would be easy to say that “friends don’t let friends use Windows” but that is not the solution, or you might wonder why a well-known default password is hard-coded into an application that is running critical infrastructure. Windows is here to stay so you better have a plan to live with it, but using default hard-coded passwords is somewhere near the top of the list of what not to do. I won’t even go there.
What About Changing The Default Siemens Password?
Siemens spokesman Michael Krampe says don’t do it. Changing the password would interrupt communications between the WinCC software and the Microsoft SQL database and interfere with the operations. Siemens is examining ways to increase the security of the authentication procedures, he said.
Ban USB Storage Devices?
If the problem is that the worm spreads by the connection of USB storage devices, then the knee jerk solution is to ban the use of USB storage devices on SCADA systems. The US Department of Defense (DoD) Joint Task Force Global Network Operations (JTF-GNO) banned the use of USB flash drives within their networks about 18 month ago due to this exact problem–malware being introduced from the outside.
But because the DoD realized that productivity dropped substantially after the ban was put in place, it was recently modified, with several provisos; 1) The drives must be on an approved list; 2) They must be purchased and issued by the organization using them and 3) There must be approved policies and procedures for their use. Again, the biggest problem is malware coming in from the outside, and even a secure, encrypted USB drive cannot help with that problem.
The only was to prevent the spread of malware on USB storage devices from system to system is to lock them down to a specific system or to a set of systems.
You can see that I have created red, blue, and green security domains in the illustration above. When I bring a new USB storage device into my organization, I assign it to one or more of the security domains, thus restricting the use of the device to only the systems defined as part of the domain.
For example, a storage device in the red domain can only connect to computers in the red domain. A device assigned to the red and green domains can connect and move information between red and green systems. Because moving information between domains is risky, I might configure only one device for cross-domain transfer and assign it to a trusted employee. If information shows up on the red domain that I know belongs only on the green domain, I know who must have moved it.
Now take this one step further; if a system is outside of the three domains, the USB storage device will not mount on it and if a rogue device comes into my organization it cannot be mounted on my systems. So I have limited what can come in to my organization and what can go out of my organization.
If you’re thinking that it would be cool if such a device existed then I would like to point you to the SPYRUS Hydra Privacy Card (Hydra PC) devices because this is exactly what they are designed to do. They keep secure information inside of your organization and keep insecure information (such as malware) out.
In fact, the Hydra PC Personal Encryption Device is the only COTS USB flash drive approved by the USA National Security Agency (NSA) to carry tactical data at the SECRET level and below, when operated in accordance with the approved security doctrine.