C. Warren Axelrod

NIST Special Publication 800-82 Provides Stuxnet Recipe

Many were surprised by the Stuxnet worm that infiltrated into Iranian nuclear materials processing plants and reportedly caused the destruction of centrifuges. But they shouldn’t have been surprised, especially if they had read NIST SP 800-82 “Guide to Industrial Control Systems (ICS) Security,” written by Keith Stouffer, Joe Falco and Karen Scarfone and published in September 2008. The report is available online at the NIST website.

I happened to be looking over this particular NIST report recently and, in the Executive Summary found the following, which I have abbreviated slightly to emphasize the relevant items:

“Possible incidents an ICS may face include the following:

  • Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment …
  • Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects
  • ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects”

Does this sound familiar? Is this not the recipe for Stuxnet? So what was all the commotion about?

The issue here is that, just because organizations, such as NIST, point out how attacks might be structured, it doesn’t mean that the exploit will be developed. There again, it might be created, as it was with Stuxnet. Such anticipatory writings move certain risks from “unknown unknowns” to “knowns” or, at the very least to “known unknowns.” We certainly aren’t able to account for every prediction and anticipatory warning, but when the source is as authoritative as NIST, it is at least worthwhile to consider the implications and respond accordingly

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*