Does Industry know its I from its T?

Industry IT security shortfalls persist!

A recent survey conducted by Electroustic revealed industry’s unsustainable approach to information security. The survey showed a pressing lack of information about the most common security risks in an age where industrial internet and remote data access are steadily being implemented on the factory floor. An impressive 34 per cent of respondents said their companies don’t have an information security policy.

The survey identified hacking as the biggest security concern – with 31 per cent of respondents worried about it – followed by human error (17 per cent) and cloud computing (11 per cent).

While it’s true that most security breaches are caused by outsider attacks, these often come in the form of malicious software and can easily be averted with the correct staff training and appropriate infrastructure.

tofino“The huge range of available IT security products for industry is a double-edged sword for many companies,” explains Paul Carr, managing director and owner of Electroustic. “Although there are a lot of options to choose from, inexperienced companies can easily end up spending a fortune on IT security systems that might not be appropriate for their specific needs.

“In terms of network security, establishing multi-layered defences using industrial firewalls, like Tofino’s Xenon (pictured), is crucial. A reliable industrial firewall should be easy to implement and manage, while also being versatile and rugged. A good IT security system should ensure a company meets and exceeds NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) requirements and ISA/IEC-62443 Standards.”

User education and awareness are two additional points in the Electroustic survey where respondents didn’t fair particularly well, which suggests industrial companies need to do more to tackle the problem.

User security policies describing best practice when using a company’s Information and Communication Technologies (ICT) systems should be formally acknowledged in employment terms and conditions. Additionally, IT induction programmes should be complemented with regular training on the cyber risks faced as employees and individuals.

The latest industry trends, including industrial internet, remote data access and Industry 4.0 are drastically changing the industry landscape and the skills employees are expected to bring to the table. Companies need to do more to prevent and address IT security breaches and the best way to do so is by training staff, implementing reliable industrial security solutions and keeping up to date with the latest industry developments.

• For companies just starting on the road to industry security, the latest version of the British government’s 10 Steps to Cyber Security guide is available on the GCHQ website.

SCADA, ICS and HMI vulnarabilities


Last week an Italian researcher, Luigi Auriemma published thirty-four SCADA product vulnerabilities against four SCADA products. “Selling the concept of security for SCADA and ICS might still be struggling, but publishing vulnerabilities for SCADA and ICS equipment seems to be a growth industry.” according to the Eric Byres of Byres Security on their blog The Italian job!, on 23rd March 2011.

Last Friday Joel Langill CSO of blogged on Protecting your ICONICS GENESIS SCADA HMI System from Security Vulnerabilities as they published a white paper providing six actions (also known as compensating controls) that users of ICONICS GENESIS products should take to protect their systems. Operators of other HMI products were advised to consider similar measures.

This morning Byes and Langill have released another White Paper, Analysis of the 7-Technologies IGSS Security Vulnerabilities for Industrial Control System Professionals, that may be important in protecting Industrial Control and SCADA Systems.

This paper analyses the vulnerabilities of the 7-Technologies IGSS SCADA/HMI system published by Auriemma. Moreover they state even if readers do not have this vendor’s products, it may be helpful to review the six Compensating Controls recommended, and apply ones that are relevant for their systems. They say: “Initial analysis seems to indicate that these vulnerabilities only affect IGSS Versions 8 and 9.  This is due primarily to the fact that these vulnerabilities focus on a single IGSSdataServer application that is not believed to have existed in prior versions of the software.  Until the vendor has posted an official response to these vulnerabilities, increased security diligence should be used based on the recommendations provided in this document.”

Due to the sensitive nature of this white paper, Analysis of the 7-Technologies IGSS Security Vulnerabilities for Industrial Control System Professionals, you must be logged in to the site to access it.

See also: SCADA Vulnerabilities for 7-Technologies on the ISS Source website.

Stuxnet PLC malware white paper update


Do you know what's on that USB Stick?

Since mid-July, the team at Byres Security, under Eric Byres, has been working hard on determining exactly what operators of SCADA and industrial control systems can do to protect their facilities from infection from the Stuxnet worm. This worm is both complex and dangerous to all control systems.

As a result, they have massively updated our Stuxnet White Paper Analysis of the Siemens WinCC / PCS7 ‘Stuxnet’ Malware for Industrial Control System Professionals. There is no charge for this white paper, but you must register on the Tofino Security website. The page also has a link to Englobal’s Joel Langill’s Stuxnet Infection Video where he does an excellent job of detailing what exactly Stuxnet is doing to a computer and the Siemens Project files.

In the latest version they have created a detailed list of Prevention/Mitigation techniques you can use to protect computers running both supported Windows operating systems and older unsupported systems that cannot be patched. These mitigations are recommended for all control systems, regardless of whether a Siemens product is used or not.

Other changes in this version of the Stuxnet White Paper include:

• A new summary of what Stuxnet is, what its consequences are, and how it is spreading

• A revision to the list of vulnerable systems

• An expanded analysis of the available Detection and Removal tools

If you are not currently a member of the website, you will be asked to become a member. Membership is free and is required to limit this information to bona fide industrial control and security professionals only.

Eric Byres concludes, “I hope this information will be helpful to you, your organization and the ICS community as a whole.”

We first covered this on 19th July 2010 when we carried Eric’s first notification on this worm in “Security threat to the control system world!“. We followed up with Andrew Bond’s analysis “Zero day” attack on Siemens control system software shows alarming new level of malware sophistication,” in early August and our last posting on the subject was Nick Denbow’s, “Stuxnet – not from a bored schoolboy prankster!” on 21st September 2010. We have also endevoured to add new relevent information and coverage at the bottom of Nick’s article.

Security threat to the control system world!


" threat to the control system world!"

We became aware of this through Gary Mintchell on twitter on Saturday (17th – “News item says virus exploits Windows hole to get Siemens WinCC”). He had heard of it through news feeds. The following are some links from Gary, Control Global and ComputerWorld. The oldest posts at the bottom. Some of these links carry the same basic information.

Siemens themselves became aware of it on 14th July 2010,

Aktuelle Informationen zur Malware in Verbindung mit Simatic-Software

Current information on malware in connection with Simatic Software

Siemen’s statement (19 Jul 2010)

Control Systems a New “Bull’s-eye” for Hackers (Wes Iverson Automation Week)

Stuxnet Siemens SCADA Worm (Industrial Defender – Findings from the Field)

‘Stuxnet’ Trojan Targets Siemens WinCC
(Control Engineering)

Update on Virus Affecting Simatic WinCC SCADA Systems

Siemens Media Advisory regarding the virus affecting Simatic WinCC SCADA Systems
We Knew It Was Only a Matter of Time
Malware hits Siemens software

Observations about the Siemens PLC vulnerability
(Discussion on Control Global)

Latest Siemens Statement on Malware
Siemens SCADA Security Byres Response
(Gary Mintchel)

New virus targets industrial secrets
Microsoft confirms ‘nasty’ Windows zero-day bug

Scada virus
(Chemical Facility Security News)

This morning  (Irish Time – 07.30) the following appeared in the Signpost Mail box. There had been some tweets (notably from Gary Mintchel of Automation World) on this topic over the weekend but this is the first meaty piece about it. We have decided to include the entire text of his email. Text of email from Eric Byres P.Eng., Chief Technology Officer, Byres Security: “I don’t normally send emails about security vulnerabilities or incidents (that is the job of groups like the US CERT), but over the last 72 hours I have become aware of a potentially serious threat to the control system world that might affect your organization. Over the weekend my team has been investigating a new family of threats called Stuxnet that appear to be directed specifically at Siemens WinCC and PCS7 products via a previously unknown Windows vulnerability. (Here is the result of a MS’s Malware Protection Center for the term “Stuxnet”: Ed) At the same time I also became aware of a concerted Denial of Service attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists, knocking at least one of these services off line. Thus, I decided to create this email to let my friends and associates in the process control and SCADA world know what is happening. As best as I can determine, the facts are as follows: This is a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008  and Windows 7.

  • There are no patches available from Microsoft at this time (There are work arounds which I will describe later).
  • This malware is in the wild and probably has been for the past month.
  • The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products.
  • The malware is propagated via USB key. It may be also be propagated via network shares from other infected computers.
  • Disabling AutoRun DOES NOT HELP! Simply viewing an infected USB using Windows Explorer will infect your computer.
  • The objective of the malware appears to be industrial espionage; i.e. to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.

The only known work arounds are:

  • NOT installing any USB keys into any  Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not
  • Disable the displaying of icons for shortcuts (this involves editing the registry)
  • Disable the WebClient service

My team has attempted to extract and summarize all the relevant data (as of late Saturday night – 17 July 2010) and assemble it in a short white paper called “Analysis of Siemens WinCC/PCS7 Malware Attacks”which I have posted on my website in a secured area that can be accessed from this page. If you would like to down load the white paper, you will need to register on the web site and I will approve your registration as fast as I can. I have chosen to keep the whitepaper in a secure area as I do not want this information to be propagated to individuals that do not need to know and might not have our industries’ best interests at heart. People who are already web members do not need to reregister. In closing, I have considered long and hard whether to send this email or not, as I don’t want to fill your Inbox with junk. However I think that this is serious enough to warrant that risk for once. And if you don’t wish to receive emails from me on this sort of topic again (that is, if I ever send them again, which I hope I won’t need to), please click on the unsubscribe link below and it will mark you in my address list as a “do not email”. Feel free to foward this to anyone you feel needs to know this information. In closing I hope this information and our white paper summary of the malware will be helpful to you, your organization and the ICS community as a whole.”