Post written by Kent Dahlgren
A recently discovered worm called Stuxnet is affecting industrial control systems worldwide, with over half of the infections occurring in the United States. The worm exploits a zero-day vulnerability present in unpatched Windows software, and is targeting supervisory control and data acquisition (SCADA) systems. These systems are used to operate power plants and gas and oil refineries and the worm is using the default password in order to (1) either steal very critical information on how these plants run, or (2) use it to access the control system to do major damage. It’s spreading fast and furious in Siemens SCADA Systems and users are panicking.
How could Tripwire solutions have helped?
Tripwire Enterprise offers some native Windows agents, which could have been configured to detect changes to specifically-defined files. Even if they didn’t allow installation of an agent on a Windows machine, we’d still be able to easily configure a new node type, which could remotely log in and check files.
Similarly, Tripwire Log Center can collect and evaluate the events from a Windows machine. A correlation rule could be written that detects the unique behavior of the worm. Also, Tripwire Log Center would pick up on the worm’s unique behavior from other network devices (firewalls, etc).
Utilizing both products combined would give you additional correlation capabilities to add context to your changes and logs, providing the visibility into your IT infrastructure, including SCADA systems, intelligence to bubble up events of interest, and the automation to alert and remediate changes that could take you out of a secure state.