Whitelisting is an option – and a good one – but this also highlights the need for better monitoring within control systems networks, in general, so that we can correlate everything together to find the clues needed to spot these types of threats. There will be other zero days, and any single defense can be compromised: it’s why defense-in-depth is still touted as a security best practice today. You can read more about that at http://bit.ly/dfofN3

And patching is not as hard as you might think. I work at a facility owned by the government and we are required by law to maintain our systems at as close to current as possible. Once faced with that requirement it was a relatively simple matter of creating a testbed environment where patches can be subjected to maximum abuse before releasing them to a production environment. Can we test for every conceivable condition? No, but I can manipulate the systems through every critical function thousands of times much faster than I could in the real world. The remaining functions can be compared to the details of the changes and given a very high confidence rating. At least as high of a confidence rating as when I make changes to the application code myself. Was it cheap? No, but it is a lot cheaper than allowing someone the opportunity to take control of my systems and do damage. Am I confident that after our testing, and the vendor’s testing, that the patches I deploy won’t break my systems? Not 100% but I can say that I’m more confident than if I didn’t do the testing. When I read the early reports of this malware I was able to make the workarounds recommended by Microsoft, test the changes and deploy them to the production environment within 24 hours. No need to compromise what my customers want or worry that I was vulnerable.

It’s a new world out there that the automation industry has managed to ignore for quite a long time but, as this event has shown, we are not immune to the threats and we have to adapt. The first shot in the battle was pretty benign if you look at all the details of what it does but the next one will likely not be so easy to catch and block. The next attack might be to take a vulnerable system hostage and not release it until a ransom is paid. That’s already been done with database systems. If you think we can just pull in all of our network connections and isolate ourselves the way it was 10 years ago then you don’t know your customers. They want the real-time data on their desktops and web applications and if you can’t or won’t give it to them they will find someone who will. Take a look at the publicly available documentation from NIST, DOD and DOE on securing SCADA systems. It could save your career and possibly someone’s life.

Of course not all procedures involving USB devices are part of a change management workflow (eg. incremental backup).