Security threat to the control system world!

" threat to the control system world!"

We became aware of this through Gary Mintchell on twitter on Saturday (17th – “News item says virus exploits Windows hole to get Siemens WinCC”). He had heard of it through news feeds. The following are some links from Gary, Control Global and ComputerWorld. The oldest posts at the bottom. Some of these links carry the same basic information.

Siemens themselves became aware of it on 14th July 2010,

Aktuelle Informationen zur Malware in Verbindung mit Simatic-Software

Current information on malware in connection with Simatic Software

Siemen’s statement (19 Jul 2010)

Control Systems a New “Bull’s-eye” for Hackers (Wes Iverson Automation Week)

Stuxnet Siemens SCADA Worm (Industrial Defender – Findings from the Field)

‘Stuxnet’ Trojan Targets Siemens WinCC
(Control Engineering)

Update on Virus Affecting Simatic WinCC SCADA Systems

Siemens Media Advisory regarding the virus affecting Simatic WinCC SCADA Systems
We Knew It Was Only a Matter of Time
Malware hits Siemens software

Observations about the Siemens PLC vulnerability
(Discussion on Control Global)

Latest Siemens Statement on Malware
Siemens SCADA Security Byres Response
(Gary Mintchel)

New virus targets industrial secrets
Microsoft confirms ‘nasty’ Windows zero-day bug

Scada virus
(Chemical Facility Security News)

This morning  (Irish Time – 07.30) the following appeared in the Signpost Mail box. There had been some tweets (notably from Gary Mintchel of Automation World) on this topic over the weekend but this is the first meaty piece about it. We have decided to include the entire text of his email. Text of email from Eric Byres P.Eng., Chief Technology Officer, Byres Security: “I don’t normally send emails about security vulnerabilities or incidents (that is the job of groups like the US CERT), but over the last 72 hours I have become aware of a potentially serious threat to the control system world that might affect your organization. Over the weekend my team has been investigating a new family of threats called Stuxnet that appear to be directed specifically at Siemens WinCC and PCS7 products via a previously unknown Windows vulnerability. (Here is the result of a MS’s Malware Protection Center for the term “Stuxnet”: Ed) At the same time I also became aware of a concerted Denial of Service attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists, knocking at least one of these services off line. Thus, I decided to create this email to let my friends and associates in the process control and SCADA world know what is happening. As best as I can determine, the facts are as follows: This is a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008  and Windows 7.

  • There are no patches available from Microsoft at this time (There are work arounds which I will describe later).
  • This malware is in the wild and probably has been for the past month.
  • The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products.
  • The malware is propagated via USB key. It may be also be propagated via network shares from other infected computers.
  • Disabling AutoRun DOES NOT HELP! Simply viewing an infected USB using Windows Explorer will infect your computer.
  • The objective of the malware appears to be industrial espionage; i.e. to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.

The only known work arounds are:

  • NOT installing any USB keys into any  Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not
  • Disable the displaying of icons for shortcuts (this involves editing the registry)
  • Disable the WebClient service

My team has attempted to extract and summarize all the relevant data (as of late Saturday night – 17 July 2010) and assemble it in a short white paper called “Analysis of Siemens WinCC/PCS7 Malware Attacks”which I have posted on my website in a secured area that can be accessed from this page. If you would like to down load the white paper, you will need to register on the web site and I will approve your registration as fast as I can. I have chosen to keep the whitepaper in a secure area as I do not want this information to be propagated to individuals that do not need to know and might not have our industries’ best interests at heart. People who are already web members do not need to reregister. In closing, I have considered long and hard whether to send this email or not, as I don’t want to fill your Inbox with junk. However I think that this is serious enough to warrant that risk for once. And if you don’t wish to receive emails from me on this sort of topic again (that is, if I ever send them again, which I hope I won’t need to), please click on the unsubscribe link below and it will mark you in my address list as a “do not email”. Feel free to foward this to anyone you feel needs to know this information. In closing I hope this information and our white paper summary of the malware will be helpful to you, your organization and the ICS community as a whole.”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: