Siemens Under Cyber Attack

Monday, July 19, 2010 @ 11:07 AM gHale


Siemens WinCC and PCS7 products are now the victim of a malware attack via a Windows vulnerability, said Eric Byres, chief technology officer at Byres Security.
Byres also said there he sees a concerted Denial of Service attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists, which knocked at least one of these services off line.
Byres said the facts are:
• This is a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008 and Windows 7.
• There are no patches available from Microsoft at this time, however there are some workarounds.
• This malware is in the wild and probably has been for the past month.
• The known variations of the malware specifically targets Siemens WinCC and PCS7 Products.
• The malware propagates via USB key. It may be also be propagated via network shares from other infected computers.
• Disabling AutoRun does not help. Simply viewing an infected USB using Windows Explorer will infect your computer.
• The objective of the malware appears to be industrial espionage in an effort to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.
There are work arounds, Byres said, but they a few and far between.
First, don’t install any USB keys into any Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not; disable the displaying of icons for shortcuts (this involves editing the registry), and disable the WebClient service
Siemens sent an email to customers July 14 warning them of the cyber-threat. The company has assembled a team of experts to evaluate the situation.
“We are urging customers to carry out an active check of their computer systems with WinCC installations and use updated versions of anti-virus software in addition to remaining vigilant about IT security in their production environments,” said Michael Krampe, director of media relations for Siemens Industry Inc.
Siemens is urging its customers to carry out an active check of their computer systems with WinCC installations and use updated versions of antivirus software in addition to remaining vigilant about IT security in their production environments, Krampe said.
Microsoft has issued a security advisory which, it says, affects all versions of the Windows operating system, including Windows 7. The company has seen the bug exploited only in limited, targeted attacks, Microsoft said.



Leave a Reply

You must be logged in to post a comment.