Stuxnet and U.S Incidence Response
Student Name
Professor Name
Institution
Date
The U.S Computer Emergency Readiness Team is a body mandated to protect the country’s internet infrastructure and to ensure the general welfare of all public entities in the internet. It devices methods to clearly respond to cyber security attacks that might pose a threat to the nation. They work alongside the Department of Homeland Security together with multiple other private and public companies in accomplishing this task (Techopedia, 2018).
The U.S CERT has a number of activities it engages in order to make the internet a safe place for the entire nation. It for instance devices means for the public to report any cyber threat or attack that they suspect to the body for appropriate actions to be taken. They also engage in educational ventures with the aim of making the public and industries aware about data security and threats.
The body also has the role of letting the general public aware of looming cyber security strikes and attacks. They gather information from various sources and analysis of these can actually help the point out possible security threats various bodies are facing or in risk of. By so doing they are able to prevent any loss that could have come about as a result of such attacks.(ICS-CERT, 2015).
The emergency response team also takes part in coordinating the recovery activities in emergency situations in conjunction with other firms. These activities are aimed at reducing the impact that a cyber attack makes and also try to restore any data or operations that might have been brought down as a result of the attack.
An analysis of the data gathered from security threats is also made by the firm in order to learn more about the nature of attacks and to prevent future attacks from happening. Additionally they also conduct an evaluation of malware applications in order to better know which systems are at risk of attacks and how these attacks can be detected in a system (Ferran, 2012).
The response team also has the role of working hand in hand with other security agencies in the quest of coming up with mitigation steps aimed at preventing and dealing with cyber security threats. The bodies share data that they have individually gathered and by putting it together they are able to come up with a clearer picture as to how security attacks are manifested and how they can be able to better detect these security threats.
The U.S Computer Emergency Response Team follows the best guidelines when it comes to cyber crime response and emergency response preparedness. They use the best approach when t comes to collection of data relating to security threats by getting it from actual security occurrences. The feedback from the general public is also a rich source of information in matters concerning cyber security. By colluding with other security agencies they stand a better position to more effectively combat security threats and possible attacks.
T ...
Stuxnet and U.S Incidence ResponseStudent NameProfessor Na.docx
1. Stuxnet and U.S Incidence Response
Student Name
Professor Name
Institution
Date
The U.S Computer Emergency Readiness Team is a body
mandated to protect the country’s internet infrastructure and to
ensure the general welfare of all public entities in the internet.
It devices methods to clearly respond to cyber security attacks
that might pose a threat to the nation. They work alongside the
Department of Homeland Security together with multiple other
private and public companies in accomplishing this task
(Techopedia, 2018).
The U.S CERT has a number of activities it engages in order to
make the internet a safe place for the entire nation. It for
instance devices means for the public to report any cyber threat
or attack that they suspect to the body for appropriate actions to
be taken. They also engage in educational ventures with the aim
of making the public and industries aware about data security
and threats.
The body also has the role of letting the general public aware of
looming cyber security strikes and attacks. They gather
information from various sources and analysis of these can
actually help the point out possible security threats various
bodies are facing or in risk of. By so doing they are able to
prevent any loss that could have come about as a result of such
attacks.(ICS-CERT, 2015).
The emergency response team also takes part in coordinating
the recovery activities in emergency situations in conjunction
2. with other firms. These activities are aimed at reducing the
impact that a cyber attack makes and also try to restore any data
or operations that might have been brought down as a result of
the attack.
An analysis of the data gathered from security threats is also
made by the firm in order to learn more about the nature of
attacks and to prevent future attacks from happening.
Additionally they also conduct an evaluation of malware
applications in order to better know which systems are at risk of
attacks and how these attacks can be detected in a system
(Ferran, 2012).
The response team also has the role of working hand in hand
with other security agencies in the quest of coming up with
mitigation steps aimed at preventing and dealing with cyber
security threats. The bodies share data that they have
individually gathered and by putting it together they are able to
come up with a clearer picture as to how security attacks are
manifested and how they can be able to better detect these
security threats.
The U.S Computer Emergency Response Team follows the best
guidelines when it comes to cyber crime response and
emergency response preparedness. They use the best approach
when t comes to collection of data relating to security threats by
getting it from actual security occurrences. The feedback from
the general public is also a rich source of information in matters
concerning cyber security. By colluding with other security
agencies they stand a better position to more effectively combat
security threats and possible attacks.
The body’s initiative to inform and educate the general public
in issues relating to data security and cyber attacks is a crucial
tool in enabling successful prevention of cyber attacks. When
the public is aware of the threat that they face in data security
they are able to contribute in safeguarding themselves against
such malicious security threats.
Stuxnet was a computer malware that was first noted in 2010,
July. It exploited a zero-day vulnerability and attacked
3. Windows PCs and also other industrial software and equipment
(Techopedia, 2018) . It is believed that the worm spread through
flash drives that were infected with the malware.
The worm was so sophisticated and is believed to have been
made by a group of very talented professionals probably
working for government(s). It exploited a total of four
unpatched vulnerabilities in the windows PCs at the time of
discovery.
The industrial control systems computer emergency readiness
team (ICS-CERT) was in charge of the mitigation process for
the stuxnet malware. It employed a number of steps in a bid to
try and control the malware which was proving to be highly
infectious having infected thousands of computers around the
world.
One of the many steps that the U.S body has taken is to effect
application of patches on host systems. As seen earlier the
stuxnet worm targeted windows pcs and used a total of four
zero-day vulnerabilities in making possible its infection. The
first step was therefore to address these unpatched
vulnerabilities in the windows machines so as to prevent further
infection by the malware. Organizations affected by the
malware and running winCC or step7 software should follow
Siemmens recommendations for applying the windows update.
The malware also exploits a vulnerability addresses in
theMS08-067c patch though it is not clear how this is used. The
ICS-CERT urges control system administrators and operators to
review system upgrades and also apply the patch if it had not
been effected previously. Administrators are further urged to
consult their control systems vendors prior to making any
system changes.
USB drives being the main channels of the infection, the ICS-
CERT recommends that the best practices are used when dealing
with these flash drives. This is because attackers use the
convenience and wide usage of these thumb drives to enable
propagation of the malware. Companies are asked to review
their policies further to prevent any loopholes that might lead to
4. infection by a malware such as the Stuxnet worm.
By having strong policies on the usage of such material it is
hoped that the transfer of malware from an infected computer to
another one can be controlled and therefore stopped. Hence it is
important for companies to enact such policies.
The ICS-CERT outlines a due process to be followed in the
incident that a system becomes infected by the Stuxnet malware.
This though depends on the type of system that has been
infected. A system that does not run or use Siemmens products
will have a relatively easier time handling the malware as
compared to the system that uses products from Siemmens.
System administrators are again advised to practice high
discretion and caution before making any major system changes
or using anti-virus products.
If a system is running Siemens winCC or step7 software and is
identified as to have been infected by the stuxnet malware then
Siemens customer care support and also ICS-CERT should be
contacted. Additionally Siemens advices that a Microsoft patch
should applied which runs the sysclean tool then the host
system should also install the SIMATIC security update.
Although usage of the SysClean tool does appear to prevent the
worm from infecting new flash drives it does not fully remove
all files related to the malware. This is mainly attributed to the
complexity of the malware.
Due to this the ICS-CERT recommend that affected companies
closely work with them so as to determine whether total rebuild
of systems is necessary. This rebuild can be effected through
manual or automated means.
The ICS-CERT also offer support to companies seeking further
guidelines on how to deal with the stuxnet threat or those that
may require further analysis of the effects of the malware to
their systems.
Also it is worthy to note that systems that do not run on the
Siemens products will have an easier time dealing with the
malware as it is inert and almost completely harmless in such
systems.
5. Alternate sites are not completely ideal for companies that run
on the industrial systems control technologies. This is because
these systems control critical infrastructure such as power,
transport, gas and water directly. As such any interruption to
such system is really dangerous and high risk as it could mean
total sabotage, failure or shutdown of the main processes or
even the entire industry.
Many companies for instance go on to continue working with
the original systems even after a malware infection has been
detected. To them it is better to deal with the malware problem
as they go on running normal industry processes as it is less
risky that way.
Various other challenges also prevent shift to a hotsite. For
example many industries running on the industrial control
systems only allow 5 minutes downtime an year hence it makes
it extremely difficult to even carry out a forensic study or
analysis in a bid to try and identify malware infection or other
security breaches.
The fact that these systems also run on small processors makes
it even more difficult since they would not be able to run basic
antivirus software. Small processors have very limited
computing capabilities and might just not be able to handle the
antivirus softwares that could have been applied on the systems.
Additionally it is hard to apply changes to ICS systems since
they were developed during the pre-internet era and do not
allow for connectivity, hence it is difficult to apply any updates
to them as there would be no means of authenticating commands
given.
The challenge here is that these systems only communicate
point to point. The option of doing a complete replacement of
such systems is also not feasible since these are legacy systems
that have been in operation for 15 to 30 years or more.
Companies with such systems are also quite reluctant to
overhaul these systems due to the fact that these systems have
been operating error free for long duration of times. Even if an
overhaul was possible it would be extremely expensive for such
6. industries.
The fact that this systems have to adopt a connectivity plan has
made some of them purchase off the shelf software products for
example operating systems like windows and Linux. This
increases the security threat that is glaring at such systems.
Thus is due to the fact that it is quite possible to infect systems
that are interconnected in a network as there would be an actual
channel through which the malware would be transmitted.
Companies running on the industrial control systems are thus
required to practice complete discretion when it comes to
handling the operations of their systems. It would mean havoc if
the systems are infected by a hazardous malware for instance
because dealing with malware on such system is a daunting
task.
The fact that it is also quite difficult to shift such systems to
alternative sites also makes it even more imperative to
safeguard the original systems from malware attacks.
Of importance though is the need to engage more discussions
involving the security of legacy systems and even newer
systems that utilize the industrial control system technologies.
This would position many industries in a place where they
would be able to easily deal with and control any form of
malware attack that poses a danger to their systems.
The need becomes even more glaring with the onset of more
frequent attacks on such systems. The mere fact that
replacement of such systems or even shifting is impossible
should make security researchers pay more attention to this
field so as to come up with proper mitigation steps that will
assist industries to easily secure their systems and prevent
losses that would arise.
A lot of planning has to go into securing industrial control
systems in order to safeguard them from possible attacks, which
can be quite fatal. Below are some of the necessary steps that
could be taken to ensure that these systems are well protected
from such attacks.
The first step would be to secure the networks. A well secured
7. network entails having a good network design and well-defined
boundaries. Additionally the networks should be segmented by
implementing the ISA IEC 62443 standard. The wireless
applications should also be secured as well and also deployment
of secure remote access solutions should be carried out. The
firms should then conduct regular inspection and monitoring of
their industrial network infrastructure equipment.
Another important step would be to secure all end points.
Having firewalls, using proprietary software, imposing
protocols and even air gaps is not enough. All these are
bypassed when employees, contractors or anyone else bring
their laptop, flash drives or other equipment into the corporate
network.
These devices can compromise the security measures that have
been put in place by providing loopholes for security breaches.
It should therefore be the policy in all firms that personal
equipment like laptops or thumb drives should not be connected
to the corporate network.
Organizations are urged to carry out asset discovery. This well
help them map out and actually come up with an inventory of all
the endpoints available. Once this is done the necessary
configurations should be applied to these endpoints to make
them secure from attacks. Constant monitoring of these
endpoints should then be done to ensure that they are protected
and in the correct state at all the time. This will enable the firm
to detect any unauthorized changes that might be made to this
points and act accordingly before the newly created weak point
is exploited by an intruder.
An important activity that industrial control systems do to
prevent attacks is securing the industries controllers. These are
computers that bridge the gap between programming
instructions and commands given to the system and the actual
components that interact with the physical world. These include
sensors for temperature, pressure, calibration devices, valves
etc.
A successful intrusion into such computers would deal a serious
8. blow to a firm. This is because a malicious actor would be able
to wreck havoc if they were to actually get in control of these
systems. As such it becomes extremely important to secure
these points(Authier, 2018).
Organizations should implement security features on vulnerable
controllers, monitor the rest for any changes that could spell a
security threat.
It is important for control systems to review their password
policies from time to time to make them secure and hack proof.
Weak passwords could be a loophole for malware to gain
control of critical system components.
The hardware and software element of many ICS systems is also
outdated something that has to be looked into if security of such
systems is to be guaranteed.
Traditional penetration testing should be conducted on such
systems by simulating real attacks so that any loophole that has
not been addressed can be discovered and patched or rectified.
The approach of using a red team can be considered as one of
these procedures in order to increase the effectiveness of such
tests in establishing the weak points in a system.
Even for air-gapped systems, it is still crucial to conduct such
tests since it is very possible for attacks to be carried out on
such systems, say using infected flash drives for example.
The steps above if followed correctly can to a very large extent
prevent and protect industrial control systems from cyber
attacks that can damage or interfere with them.
References
Techopedia (2018). Stuxnet. Retrieved from
https://www.techopedia.com/definition/15812/stuxnet
Ferran, L. (2012 June, 29). When Stuxnet Hit the Homeland:
Government Response to the Rescue. Retrieved from
http://abcnews.go.com/News/when-stuxnet-hit-the-homeland-
government-response-to-the-rescue/blogEntry?id=16680284
ICS-CERT. (2010 September, 15). Stuxnet Malware Mitigation
9. (Update B). Retrieved from https://ics-cert.us-
cert.gov/advisories/ICSA-10-238-01B
Rouse, M. (2018) hot and cold site. Retrieved from
https://searchcio.techtarget.com/definition/hot-site-and-cold-
site
Ashford, W. (2014 October, 15). Industrial control systems:
What are the security challenges? Retrieved from
https://www.computerweekly.com/news/2240232680/Industrial-
control-systems-What-are-the-security-challenges
Brasso, B. (2016 May, 26). Taking Steps to Prevent Critical
Infrastructure Cyber Attacks. Retrieved from
https://www.fireeye.com/blog/executive-
perspective/2016/05/taking_steps_to_prev.html
Authier, G. (2018 February, 4). A Solid Approach to Protect
your ICS Systems: Simple as 1-2-3.Rerieved from
https://www.tripwire.com/state-of-security/ics-security/3-
simple-steps-securing-ics-systems-digital-threats/