* Install, and if necessary lobby for the ability to install, host-based . Installing intrusion prevention software directly on industrial control systems is another effective way of preventing a Stuxnet infection. Such a host-based intrusion prevention system would watch for suspicious behavior taking place on the actual industrial control system and force the lockdown of the system when called for so new malware cannot be injected. Many industrial control system developers are reluctant to load third-party software that they will have to validate and support, but Stuxnet demonstrated the game has changed and greater cooperation is warranted.
* Ensure your tempo of software certificate revocation updating is appropriate. In order to further evade detection and bury itself deeper into targeted systems, Stuxnet used two , one from JMicron and another from Realtek, to try and make itself appear as a legitimate program. Both of these certificates were revoked, but if a system were not kept up-to-date in terms of certificate revocations, the stolen certificates used by Stuxnet would have still serve as an effective deception. There is no reason to think that future threats will not also attempt to exploit compromised certificates.
* Use to ensure adequate patching procedures. As previously mentioned, Stuxnet -- like many targeted and non-targeted attacks -- used previously unknown software vulnerabilities to gain access to susceptible systems. Security updates were issued to fix the vulnerabilities exploited by Stuxnet, but unless the patches were actually applied, systems were as vulnerable as ever. Endpoint management solutions can help manage patch updates and ensure they are applied properly. This is especially important when it comes to patches issued out-of-band, as these updates can often be overlooked because they fall outside the routine patch schedule.
* Capitalize on effective solutions. Data loss prevention technology specializes in finding and preventing internal data spill events. It is not yet widely understood, but many data breach events are the result of internal data spills left unintentionally by well-meaning insiders. Not using data loss prevention technology to identify these spill events, clean them up and encrypt the content, simply makes the job of an attacker that much easier. In the case of Stuxnet, to target specific organizations the attackers needed sensitive data describing the systems the targeted organizations were running and their configurations. By preventing attackers from acquiring this detail, a similar attack in the future is much less likely to be successful.
* Where able, employ automated to root out . Some industrial control system manufacturers insist that their systems -- no matter where they are deployed -- use default password setups. This may be for legitimate reasons, but Stuxnet highlighted the obvious weakness in such a strategy. Because Stuxnet targeted a specific industrial control system, one in which the default passwords were public knowledge and easily attained. In environments where default password use is not necessary -- a situation that will hopefully increase -- automated compliance monitoring can assert detection and control over default password setups, ensuring default passwords are not used. It also identifies failed password guess attempts.