Gary Mintchell's Feed Forward

A panel of experts on cyber security met virtually on the Web for a panel discussion on the Stuxnet worm attack on Siemens WinCC on Tuesday. It was enlightening. Wes Iversen at Automation World has a report on the discussion. The program is archived for later viewing. You can register to view it here.

Moderator:

Patrick Miller
Technical Director, NERC CIP Practice
ICF International
millerpatrick.c@gmail.com

Panelists:

Eric Byres
Co-founder and Chief Technology Officer
Byres Security Inc.
eric@byressecurity.com

Andrew Ginter
Chief Technology Officer
Industrial Defender
aginter@industrialdefender.com

Dale Peterson
Founder and Director of the Control System Security Practice
Digital Bond, Inc.
peterson@digitalbond.com

Mark Zanotti
Vice President of Engineering and CTO
Lofty Perch, Inc.
mzanotti@loftyperch.com

I just received an email about a Panel Discussion Webinar, "The Stuxnet Worm: Reality check for automation system security." I've interviewed both Eric Byres and Andrew Ginter, so I'm sure that there will be good information.

The promo copy reads, "Industry experts cut through the noise to analyze the impact of the reported malware targeting Siemens Simatic WinCC SCADA systems and the implications for Industrial Control Systems operators, vendors and security providers."

When: Tuesday July 27th, 11 am - 12 noon eastern time

Moderator: Patrick C. Miller - ICF International

Panelists:
Eric Byres - Tofino
Andrew Ginter - Industrial Defender
Dale Peterson - Digital Bond
Mark Zanotti - Lofty Perch

What an unfortunate situation where someone is exploiting a hole in Microsoft Windows, but the target happens to be using a software product from Siemens. But you have to give Siemens a ton of credit. A team of experts immediately jumped into the muck. They've found the hole, searched customers and found the infected one, and now they have released a tool to detect and remove the virus. It is available for download here. And every day an explanatory release comes out to keep everyone informed. And all this in less than a week.

I just received an update from Siemens Industry. Right now, the target appears to be Siemens (my guess is a particular target of "industrial espianage" but who knows). I would caution everyone, though to read this and take the steps to ensure you're not introducing anything into your systems. Who knows who might be next?

This is the Siemens statement in full:

Immediately upon notification of the virus on July 14, Siemens assembled a team of experts to evaluate the situation and began working with Microsoft and the distributors of virus scan programs to analyze the virus.

The Trojan/virus is spread via a USB stick, using a security breach in Microsoft Windows. The virus, which affects operating systems from XP upward, detects Siemens WinCC and PCS7 programs and their data.

Siemens has now established through its own tests that the software is capable of sending both process and production data via the Internet connection it tries to establish. However, tests have revealed that this connection is not completed because the communication partners/target servers are apparently inactive. As part of the ongoing analysis, Siemens is checking to see whether the virus is able to send or delete plant data, or change system files.

We are informing our customers and investigating how many systems could be affected. Currently, there is only one known case in Germany of infection which did not result in any damage. We do not have any indication that WinCC users in other countries have been affected.

What platforms are affected/may be affected? Based on current information, the only platforms that may be affected are those where access to data or the operating system is possible via a USB interface. Normally every plant operator ensures, as part of his security concept, that non-restricted access to critical SCADA system data via a USB interface is not possible. Additional protective devices like firewalls and virus scanners can also prevent Trojans/ viruses from infiltrating the plant.

The following solutions are being developed:

• Microsoft will be offering an update (patch) that will close the security breach at the USB interface.
• Suppliers of virus scanning programs have prepared up-to-date virus signatures that are currently being tested by Siemens. The virus scanners will be able to help detect and eliminate the virus.
• Siemens is also developing a software tool that customers can use to check a Windows PC and determine if it has been infected by the virus. The tool will be distributed via the Siemens Advisory: English; German.
• Siemens will also be providing a Simatic Security Update with all the necessary functions.

What immediate action should customers take?

• Do not use any USB sticks
• Install updates as soon as they become available.

Just in from Siemens Industry:

"Siemens was notified about the malware program (Trojan) that is targeting the Siemens software Simatic WinCC and PCS 7 on July 14.  The company immediately assembled a team of experts to evaluate the situation and is working with Microsoft and the distributors of virus scan programs, to analyze the likely consequences and the exact mode of operation of the virus.

"It has so far been established that the Trojan, which spreads via USB sticks and uses a Microsoft security breach, can affect Windows computers from XP upward. 

"Siemens is taking all precautions to alert its customers to the potential risks of this virus. We have reached out to our sales team and will also speak directly to our customers to explain the circumstances. We are urging customers to carry out an active check of their computer systems with WinCC installations. There are already three virus scan programs recommended for Siemens systems from Trend Micro, McAfee and Symantec, the latest versions of which can detect the Trojan. The effect of deploying these programs on the runtime environment are currently being analyzed and an approval will be issued shortly."