Invensys OpsManage '10, Stuxnet and USB Keys

Just flying back from OpsManage '10, the Invensys Users Group meetings that have been going on all week in Florida. I missed a few days, so I can’t comment on some of the early presentations, but three things did catch my eye.

It was no surprise that Stuxnet was a hot topic, but I was pleasantly amazed at how many end-users were talking about changes their company has made in light of the worm. If this was a Siemens event it wouldn’t have surprised me, but remember that this was a conference full of people who don’t have WinCC or S7 PLCs in their plants, so it would be understandable if company management had stuck to business-as-usual. Clearly they hadn’t, which is good news.

1. Security policy for USB drives

The number one Stuxnet-driven change attendees discussed was in the area of security policy for USB drives. It must be a good month for sales of silicon and those little USB port locks (for example - http://www.lindy-usa.com/usb-port-blocker-pack-of-4-colour-code-blue/40452.html), because those were the two solutions that I heard 99% of the time.

Filling USB ports full of silicon might be a little rough and ready, but if it works for you...

Frankly, the solution that showed the most promise was a software based-technology from McAfee called McAfee Device Control.

Originally designed to stop confidential data from heading out the door on CD or USB drives, it allows users to set policy on exactly what can be copied to or from specific mobile devices or media. Why I like it is because the Device Control product provides granular control over exactly which devices can and cannot be used and what can and cannot be transferred.  For example, a company could specify that USB drives purchased by the company for plant floor use are acceptable, but the drive found in the parking lot is off limits.

I think that granularity is important for two reasons – first it is easy to decree that all USB drives are banned from the plant floor. Unfortunately the reality is that there are many cases when the drives are very useful and the lesser of two security evils.

Imagine the network connection to a plant floor device fails (like a switch) and you need the diagnostics data to figure out why. To my way of thinking, plugging in a USB drive to download the logs is a lot safer than plugging in a laptop, but a complete ban on USB drives can force people to resort to a less secure option (or just not get the diagnostics at all).

2. Device control software

Second, the Device Control software appears to be effective on ALL the USB ports on a computer, not just the open ones. Remember you really can’t plug or lock every USB port – you need some open for that keyboard or mouse. After all the Stuxnet noise has died down, it will be too easy for someone to forget why those locks are on the other ports and plug the USB drive into the keyboard port to get the urgently needed data.

I haven’t tested the Device Control product yet, so stay tuned. I plan to see what it does with Stuxnet and to see how easy it is to deploy in a plant environment. Also I will be looking to see if there are other products that might be equally effective. But Invensys staff tells me their control systems will support the McAfee solution, so that is promising. If anyone has used the McAfee product or any other solution on their control system, send us your experiences.

3. Triconex Tofino firewall

Other security news item(s) were around the Triconex Tofino Firewall, a product the Tofino Security Team helped create. The product was officially released this week and is now shipping. Invensys has created a number of documents about the firewall – the newest is a security applications note that we have posted on our site.

And for a future news item – well, unfortunately I have been told that I can’t blog about it yet (you had to be in the room at OpsManage ‘10 to know the secret). Keep following the blog and I will let you know as soon as I can.

Subscribe to the "Practical SCADA Security" news feed