This is not something to panic about. This is just a topic to learn about. We typically attach our common work machines to the same network as the machines that control projectors and ticket systems. The lesson of StuxNet is that a breach of one is a breach of all. The lesson of the US Department of Defense is that employees must learn the basics of how systems can be infected and how to stop those infections. A simple USB stick allowed an infection that later allowed people to download secure documents from other countries through the US defence department systems.
Now Duqu, which appears to be targetting machine control systems in much more clever ways than Stuxnet and capable of many future variations. Let’s not forget that Digital Cinema Systems are machine control systems. The nature of the infection is to wildly scatter then wait for the new slaves to start chattering back where someone then checks to see what kind of fish has been caught. Then they put a list up on the ‘black hat’ web sites announcing Systems With Access Holes and trade your life for a few hundred dollars.
Here are some of the more recent articles. Make certain that there is someone in your organization who learns to stay on top of these things. Don’t pass it off to an outside group without also having employee training. This is a quality control issue. Put someone in charge.
Good News:
DuquDetector released to forensically detect pest – The H Security: News and Features
Not so good News
How much similar? Remotely Opening Prison Doors Schneier on Security
Cyber Intrusion Blamed for Hardware Failure at Water Utility — Krebs on Security
Stolen government certificate signed malware – The H Security: News and Features
Compromised certificates: Revocations alone are insufficient – The H Security: News and Features
Malware Signed With a Governmental Signing Key – F-Secure Weblog : News from the Lab
Old but relevent news: