Correction To my Assignment .
Edulope
Correction.docxStuxnet and U.S Incidence Response
Professor Name
Institution
Date
The U.S Computer Emergency Readiness Team is a body mandated to protect the country’s internet infrastructure and to ensure the general welfare of all public entities in the internet. It devices methods to clearly respond to cyber security attacks that might pose a threat to the nation. They work alongside the Department of Homeland Security together with multiple other private and public companies in accomplishing this task (Techopedia, 2018).
The U.S CERT has a number of activities it engages in order to make the internet a safe place for the entire nation. It for instance devices means for the public to report any cyber threat or attack that they suspect to the body for appropriate actions to be taken. They also engage in educational ventures with the aim of making the public and industries aware about data security and threats.
The body also has the role of letting the general public aware of looming cyber security strikes and attacks. They gather information from various sources and analysis of these can actually help the point out possible security threats various bodies are facing or in risk of. By so doing they are able to prevent any loss that could have come about as a result of such attacks.(ICS-CERT, 2015).
The emergency response team also takes part in coordinating the recovery activities in emergency situations in conjunction with other firms. These activities are aimed at reducing the impact that a cyber attack makes and also try to restore any data or operations that might have been brought down as a result of the attack.
An analysis of the data gathered from security threats is also made by the firm in order to learn more about the nature of attacks and to prevent future attacks from happening. Additionally they also conduct an evaluation of malware applications in order to better know which systems are at risk of attacks and how these attacks can be detected in a system (Ferran, 2012).
The response team also has the role of working hand in hand with other security agencies in the quest of coming up with mitigation steps aimed at preventing and dealing with cyber security threats. The bodies share data that they have individually gathered and by putting it together they are able to come up with a clearer picture as to how security attacks are manifested and how they can be able to better detect these security threats.
The U.S Computer Emergency Response Team follows the best guidelines when it comes to cyber crime response and emergency response preparedness. They use the best approach when t comes to collection of data relating to security threats by getting it from actual security occurrences. The feedback from the general public is also a rich source of information in matters concerning cyber security. By colluding with other security agencies they stand a better position to more effectively combat security threats and possible attacks.
The body’s initiative to inform and educate the general public in issues relating to data security and cyber attacks is a crucial tool in enabling successful prevention of cyber attacks. When the public is aware of the threat that they face in data security they are able to contribute in safeguarding themselves against such malicious security threats.
Stuxnet was a computer malware that was first noted in 2010, July. It exploited a zero-day vulnerability and attacked Windows PCs and also other industrial software and equipment (Techopedia, 2018) . It is believed that the worm spread through flash drives that were infected with the malware.
The worm was so sophisticated and is believed to have been made by a group of very talented professionals probably working for government(s). It exploited a total of four unpatched vulnerabilities in the windows PCs at the time of discovery.
The industrial control systems computer emergency readiness team (ICS-CERT) was in charge of the mitigation process for the stuxnet malware. It employed a number of steps in a bid to try and control the malware which was proving to be highly infectious having infected thousands of computers around the world.
One of the many steps that the U.S body has taken is to effect application of patches on host systems. As seen earlier the stuxnet worm targeted windows pcs and used a total of four zero-day vulnerabilities in making possible its infection. The first step was therefore to address these unpatched vulnerabilities in the windows machines so as to prevent further infection by the malware. Organizations affected by the malware and running winCC or step7 software should follow Siemmens recommendations for applying the windows update.
The malware also exploits a vulnerability addresses in theMS08-067c patch though it is not clear how this is used. The ICS-CERT urges control system administrators and operators to review system upgrades and also apply the patch if it had not been effected previously. Administrators are further urged to consult their control systems vendors prior to making any system changes.
USB drives being the main channels of the infection, the ICS-CERT recommends that the best practices are used when dealing with these flash drives. This is because attackers use the convenience and wide usage of these thumb drives to enable propagation of the malware. Companies are asked to review their policies further to prevent any loopholes that might lead to infection by a malware such as the Stuxnet worm.
By having strong policies on the usage of such material it is hoped that the transfer of malware from an infected computer to another one can be controlled and therefore stopped. Hence it is important for companies to enact such policies.
The ICS-CERT outlines a due process to be followed in the incident that a system becomes infected by the Stuxnet malware. This though depends on the type of system that has been infected. A system that does not run or use Siemmens products will have a relatively easier time handling the malware as compared to the system that uses products from Siemmens.
System administrators are again advised to practice high discretion and caution before making any major system changes or using anti-virus products.
If a system is running Siemens winCC or step7 software and is identified as to have been infected by the stuxnet malware then Siemens customer care support and also ICS-CERT should be contacted. Additionally Siemens advices that a Microsoft patch should applied which runs the sysclean tool then the host system should also install the SIMATIC security update.
Although usage of the SysClean tool does appear to prevent the worm from infecting new flash drives it does not fully remove all files related to the malware. This is mainly attributed to the complexity of the malware.
Due to this the ICS-CERT recommend that affected companies closely work with them so as to determine whether total rebuild of systems is necessary. This rebuild can be effected through manual or automated means.
The ICS-CERT also offer support to companies seeking further guidelines on how to deal with the stuxnet threat or those that may require further analysis of the effects of the malware to their systems.
Also it is worthy to note that systems that do not run on the Siemens products will have an easier time dealing with the malware as it is inert and almost completely harmless in such systems.
Alternate sites are not completely ideal for companies that run on the industrial systems control technologies. This is because these systems control critical infrastructure such as power, transport, gas and water directly. As such any interruption to such system is really dangerous and high risk as it could mean total sabotage, failure or shutdown of the main processes or even the entire industry.
Many companies for instance go on to continue working with the original systems even after a malware infection has been detected. To them it is better to deal with the malware problem as they go on running normal industry processes as it is less risky that way.
Various other challenges also prevent shift to a hotsite. For example many industries running on the industrial control systems only allow 5 minutes downtime an year hence it makes it extremely difficult to even carry out a forensic study or analysis in a bid to try and identify malware infection or other security breaches.
The fact that these systems also run on small processors makes it even more difficult since they would not be able to run basic antivirus software. Small processors have very limited computing capabilities and might just not be able to handle the antivirus softwares that could have been applied on the systems.
Additionally it is hard to apply changes to ICS systems since they were developed during the pre-internet era and do not allow for connectivity, hence it is difficult to apply any updates to them as there would be no means of authenticating commands given.
The challenge here is that these systems only communicate point to point. The option of doing a complete replacement of such systems is also not feasible since these are legacy systems that have been in operation for 15 to 30 years or more.
Companies with such systems are also quite reluctant to overhaul these systems due to the fact that these systems have been operating error free for long duration of times. Even if an overhaul was possible it would be extremely expensive for such industries.
The fact that this systems have to adopt a connectivity plan has made some of them purchase off the shelf software products for example operating systems like windows and Linux. This increases the security threat that is glaring at such systems. Thus is due to the fact that it is quite possible to infect systems that are interconnected in a network as there would be an actual channel through which the malware would be transmitted.
Companies running on the industrial control systems are thus required to practice complete discretion when it comes to handling the operations of their systems. It would mean havoc if the systems are infected by a hazardous malware for instance because dealing with malware on such system is a daunting task.
The fact that it is also quite difficult to shift such systems to alternative sites also makes it even more imperative to safeguard the original systems from malware attacks.
Of importance though is the need to engage more discussions involving the security of legacy systems and even newer systems that utilize the industrial control system technologies. This would position many industries in a place where they would be able to easily deal with and control any form of malware attack that poses a danger to their systems.
The need becomes even more glaring with the onset of more frequent attacks on such systems. The mere fact that replacement of such systems or even shifting is impossible should make security researchers pay more attention to this field so as to come up with proper mitigation steps that will assist industries to easily secure their systems and prevent losses that would arise.
A lot of planning has to go into securing industrial control systems in order to safeguard them from possible attacks, which can be quite fatal. Below are some of the necessary steps that could be taken to ensure that these systems are well protected from such attacks.
The first step would be to secure the networks. A well secured network entails having a good network design and well-defined boundaries. Additionally the networks should be segmented by implementing the ISA IEC 62443 standard. The wireless applications should also be secured as well and also deployment of secure remote access solutions should be carried out. The firms should then conduct regular inspection and monitoring of their industrial network infrastructure equipment.
Another important step would be to secure all end points. Having firewalls, using proprietary software, imposing protocols and even air gaps is not enough. All these are bypassed when employees, contractors or anyone else bring their laptop, flash drives or other equipment into the corporate network.
These devices can compromise the security measures that have been put in place by providing loopholes for security breaches. It should therefore be the policy in all firms that personal equipment like laptops or thumb drives should not be connected to the corporate network.
Organizations are urged to carry out asset discovery. This well help them map out and actually come up with an inventory of all the endpoints available. Once this is done the necessary configurations should be applied to these endpoints to make them secure from attacks. Constant monitoring of these endpoints should then be done to ensure that they are protected and in the correct state at all the time. This will enable the firm to detect any unauthorized changes that might be made to this points and act accordingly before the newly created weak point is exploited by an intruder.
An important activity that industrial control systems do to prevent attacks is securing the industries controllers. These are computers that bridge the gap between programming instructions and commands given to the system and the actual components that interact with the physical world. These include sensors for temperature, pressure, calibration devices, valves etc.
A successful intrusion into such computers would deal a serious blow to a firm. This is because a malicious actor would be able to wreck havoc if they were to actually get in control of these systems. As such it becomes extremely important to secure these points(Authier, 2018).
Organizations should implement security features on vulnerable controllers, monitor the rest for any changes that could spell a security threat.
It is important for control systems to review their password policies from time to time to make them secure and hack proof. Weak passwords could be a loophole for malware to gain control of critical system components.
The hardware and software element of many ICS systems is also outdated something that has to be looked into if security of such systems is to be guaranteed.
Traditional penetration testing should be conducted on such systems by simulating real attacks so that any loophole that has not been addressed can be discovered and patched or rectified. The approach of using a red team can be considered as one of these procedures in order to increase the effectiveness of such tests in establishing the weak points in a system.
Even for air-gapped systems, it is still crucial to conduct such tests since it is very possible for attacks to be carried out on such systems, say using infected flash drives for example.
The steps above if followed correctly can to a very large extent prevent and protect industrial control systems from cyber attacks that can damage or interfere with them.
References
Techopedia (2018). Stuxnet. Retrieved from https://www.techopedia.com/definition/15812/stuxnet
Ferran, L. (2012 June, 29). When Stuxnet Hit the Homeland: Government Response to the Rescue. Retrieved from http://abcnews.go.com/News/when-stuxnet-hit-the-homeland-government-response-to-the-rescue/blogEntry?id=16680284
ICS-CERT. (2010 September, 15). Stuxnet Malware Mitigation (Update B). Retrieved from https://ics-cert.us-cert.gov/advisories/ICSA-10-238-01B
Rouse, M. (2018) hot and cold site. Retrieved from https://searchcio.techtarget.com/definition/hot-site-and-cold-site
Ashford, W. (2014 October, 15). Industrial control systems: What are the security challenges? Retrieved from https://www.computerweekly.com/news/2240232680/Industrial-control-systems-What-are-the-security-challenges
Brasso, B. (2016 May, 26). Taking Steps to Prevent Critical Infrastructure Cyber Attacks. Retrieved from https://www.fireeye.com/blog/executive-perspective/2016/05/taking_steps_to_prev.html
Authier, G. (2018 February, 4). A Solid Approach to Protect your ICS Systems: Simple as 1-2-3.Rerieved from https://www.tripwire.com/state-of-security/ics-security/3-simple-steps-securing-ics-systems-digital-threats/
