Updated. Over the weekend of July 17-18, news broke on the “Computerworld” technology Web site about a virus attacking industrial automation giant Siemens’ WinCC and PCS7 industrial control human-machine interface/supervisory control and data acquisition (HMI/SCADA) systems. The virus exploited Microsoft Windows operating systems when Universal Serial Bus (USB) memory sticks are inserted in a host computer and automatically loaded.
Below is the latest response from Siemens Industry Inc. (www.usa.siemens.com/industry) spokesperson Michael Krampe, received on the afternoon of July 20:
Immediately upon notification of the virus on July 14, Siemens assembled a team of experts to evaluate the situation and began working with Microsoft and the distributors of virus scan programs to analyze the virus.
The Trojan/virus is spread via a USB stick, using a security breach in Microsoft Windows. The virus, which affects operating systems from XP upward, detects Siemens WinCC and PCS7 programs and their data.
Siemens has now established through its own tests that the software is capable of sending both process and production data via the Internet connection it tries to establish. However, tests have revealed that this connection is not completed because the communication partners/target servers are apparently inactive. As part of the ongoing analysis, Siemens is checking to see whether the virus is able to send or delete plant data, or change system files.
We are informing our customers and investigating how many systems could be affected. Currently, there is only one known case in Germany of infection which did not result in any damage. We do not have any indication that WinCC users in other countries have been affected.
What platforms are affected/may be affected?
• Based on current information, the only platforms that may be affected are those where access to data or the operating system is possible via a USB interface.
• Normally every plant operator ensures, as part of his security concept, that non-restricted access to critical SCADA system data via a USB interface is not possible. Additional protective devices like firewalls and virus scanners can also prevent Trojans/ viruses from infiltrating the plant.
The following solutions are being developed:
• Microsoft will be offering an update (patch) that will close the security breach at the USB interface.
• Suppliers of virus scanning programs have prepared up-to-date virus signatures that are currently being tested by Siemens. The virus scanners will be able to help detect and eliminate the virus.
• Siemens is also developing a software tool that customers can use to check a Windows PC and determine if it has been infected by the virus. The tool will be distributed via the Siemens Advisory:
• Siemens will also be providing a Simatic Security Update with all the necessary functions.
What immediate action should customers take?
• Do not use any USB sticks
• Install updates as soon as they become available.
Well-known industrial cyber-security expert Eric Byres and his team conducted a weekend analysis, and Byres has issued a statement and is offering a White Paper analysis. Here is his analysis:
“Over the weekend my team has been investigating a new family of threats called Stuxnet that appear to be directed specifically at Siemens WinCC and PCS7 products via a previously unknown Windows vulnerability. At the same time I also became aware of a concerted Denial of Service attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists, knocking at least one of these services off line.
“As best as I can determine, the facts are as follows:
• This is a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008 and Windows 7.
• There are no patches available from Microsoft at this time (There are work arounds which I will describe later).
• This malware is in the wild and probably has been for the past month.
• The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products.
• The malware is propagated via USB key. It may be also be propagated via network shares from other infected computers.
• Disabling AutoRun DOES NOT HELP! Simply viewing an infected USB using Windows Explorer will infect your computer.
• The objective of the malware appears to be industrial espionage; i.e. to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.
• The only known work arounds are:
• NOT installing any USB keys into any Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not
• Disable the displaying of icons for shortcuts (this involves editing the registry)
• Disable the WebClient service
“My team has attempted to extract and summarize all the relevant data (as of late Saturday night) and assemble it in a short white paper called “Analysis of Siemens WinCC/PCS7 Malware Attacks” which I have posted on my website in a secured area that can be accessed from www.tofinosecurity.com/professional/siemens-pcs7-wincc-malware .
“If you would like to download the white paper, you will need to register on the web site and I will approve your registration as fast as I can. I have chosen to keep the whitepaper in a secure area as I do not want this information to be propagated to individuals that do not need to know and might not have our industries’ best interests at heart. People who are already www.tofinosecurity.com web members do not need to reregister.”
Here is a list of relevant Websites: