Food Engineering
  Home
  Subscribe
  eNewsletter
  Contact Us
  Subscription Customer Service
  Online
  Calendar
  e-Learning Center
  Webinars
  White Papers
  Automation News
  Food Safety News
  Current Issue
  Cover Story
  Features
  Manufacturing News
  Dry Processing
  Food Packaging
  Technology Sourcebook
  Resources
  Digital Edition Archive
  Archives
  Classified Ads
  Food Master
  Industry Links
  Replacement Parts Directory
  Special Reports
  Market Research
  Conferences & Events
  Food Automation & Manufacturing Conference
  Process Technology Xchange
  Food Safety & Security Summit
  FE Info
  Media Kit
  Reprints
  Related Publications
Search in: EditorialProductsCompanies
Malware affects Siemens WinCC and PCS7 equipment

July 19, 2010

ARTICLE TOOLS
EmailEmailPrintPrintReprintsReprintsshareShare

 


UPDATE: Microsoft releases patch

UPDATE—Microsoft has released a patch for the Stuxnet vulnerability, and Byres Security has updated its recommendations for addressing this critical SCADA-focused software worm. A revised white paper “Siemens PCS7 WinCC Malware” is available for download by all Tofinosecurity.com members now.

Readers can become a member by signing up. There is no charge, and Byres has created a very complete program to ensure member privacy.

Byres Security has also begun a blog called Practical SCADA Security. The intent is to provide clear and simple guidance when situations like Stuxnet occur.


The unwanted software’s main purpose may be industrial espionage

<div>Stuxnet malware</div>
Eric Byres, industrial network security specialist and chief technology officer of Byres Security Inc., reports investigating a new family of threats called Stuxnet, which appears to be directed specifically at Siemens WinCC and PCS7 products via a previously unknown Windows vulnerability. 

At the same time Byres also reports a concerted Denial of Service (DOS) attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists. At least one of these services, he says, was brought down and taken off line.

Byres has been able to determine the following:

  • This is a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008  and Windows 7.
  • There are no patches available from Microsoft at this time, although there are some work-arounds (see below).
  • This malware is in the wild and probably has been for the past month.
  • The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products.
  • The malware is propagated via USB keys. It may also be propagated via network shares from other infected computers.
  • Disabling AutoRun does not help! Simply viewing an infected USB key using Windows Explorer will infect your computer.
  • The objective of the malware appears to be industrial espionage; i.e. to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.

The only known work-arounds are:

  • Do not install any USB keys into any Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not.
  • Disable the displaying of icons for shortcuts (this involves editing the registry).
  • Disable the WebClient service.
Byres extracted and summarized the relevant data, and has assembled it in a short white paper called “Analysis of Siemens WinCC/PCS7 Malware Attacks.” Registered site users can freely download the white paper, and new visitors may register. Byres screens every new registration, so there may be a delay in processing. Byres may be contacted at 250-390-1333.

|PrintEmail

Did you enjoy this article? Click here to subscribe to the magazine.
BNP Media