Posts Tagged ‘PCS 7’

Monday, November 24, 2014 @ 05:11 PM gHale

Siemens released software updates to address two critical vulnerabilities in its SIMATIC WinCC supervisory control and data acquisition (SCADA) system, one of which could end up exploited remotely.

The German industrial products giant also released software updates for WinCC, PCS 7 and TIA Portal products, and said it is working on additional updates for other versions of the affected products.

RELATED STORIES
Advantech Deals with Multiple Vulnerabilities
Rockwell Mitigates ActiveX Vulnerabilities
ABB Fixes Dll Hijack Vulnerability
Exploits Target Nordex Vulnerability

SIMATIC WinCC monitors and controls physical processes involved in industry and infrastructure, and sees action in industries such as oil and gas, chemical, food and beverage, water and wastewater.

PCS 7 is a distributed control system (DCS) integrating SIMATIC WinCC, and TIA Portal is the company’s engineering software used for SIMATIC products.

The first vulnerability (CVE-2014-8551) within WinCC is critical, with a CVSS Base Score of 10.0. The flaw could allow remote code execution for unauthenticated users if specially crafted packets end up sent to the WinCC server, according to the security advisory from Siemens ProductCERT.

The second vulnerability (CVE-2014-8552), also a component within WinCC, could allow an unauthenticated attacker to extract arbitrary files from the WinCC server by sending specially crafted packets to the server. However, in order to exploit this flaw, the attacker must have network access to the affected system, Siemens said.

While Siemens prepares additional software updates, the company’s ProductCERT team suggests customers mitigate the risk of their systems by implementing the following steps:
• Always run WinCC server and engineering stations within a trusted network
• Ensure the WinCC server and the engineering stations communicate via encrypted channels only (e.g. activate feature “Encrypted Communications” in WinCC V7.3 (PCS 7 V8.1), or establish a VPN tunnel)
• Restrict access to the WinCC server to trusted entities
• Apply up-to-date application whitelisting software and virus scanners

Wednesday, February 27, 2013 @ 11:02 AM gHale

A form of the Stuxnet worm used to cripple Iran’s nuclear program was in existence two years longer than first believed.

In addition, there is also evidence the military-grade malware’s origins date back to 2005, and possibly earlier, a new report from Symantec said.

Members of the Symantec Security Response team found an earlier version of the highly sophisticated malcode called “Stuxnet 0.5.” Experts previously thought the earliest version dated back to 2007. Discovered in July 2010, the plan of the virus was to surreptitiously disrupt the Natanz uranium enrichment facility in Iran.

RELATED STORIES
Cyber War Stakes Rising
U.S., Israel behind New Iran Attack
Flame: ‘20 Times Larger than Stuxnet’
Shamoon Target: Aramco Production
Stuxnet Hit 4 Oil Companies
Impact of Shamoon on SCADA Security
Iran behind Shamoon Attack

First reports had Stuxnet getting its attack green light in the waning moments of George W. Bush’s presidency in 2009. At the time, President Bush wanted to sabotage the electrical and computer systems at Natanz, which is a fuel enrichment plant in Iran. After Bush left office, President Barack Obama accelerated the program, said former senior intelligence officials, one of whom worked for the National Intelligence office.

Stuxnet is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC and PCS 7 control systems. The worm used known and previously unknown vulnerabilities to install, infect and propagate, and was powerful enough to evade state-of-the-art security technologies and procedures.

Widely considered among the most complicated coding in the malware world, Stuxnet honed in on computers running the Siemens software at 14 known industrial sites. The malware shut off valves that supplied uranium hexafluoride gas into centrifuges, thereby damaging a uranium enrichment system by letting pressure build until the gas solidified.

“In addition, the code will take snapshots of the normal running state of the system, and then replay normal operating values during an attack so that the operators are unaware that the system is not operating normally,” the Symantec researchers said. “It will also prevent modification to the valve states in case the operator tries to change any settings during the course of an attack cycle.”

In analyzing the oldest known version of Stuxnet, researchers found the worm was in development as early as November 2005 and released in the wild two years later. Its programming called for it to stop communicating with its command-and-control servers on Jan. 11, 2009 and stop spreading via infected USB keys on July 4 of the same year. But a number of dormant infections ended up detected last year around the world, almost half in Iran and 21 percent in the United States.

Later versions became far more aggressive in propogating and exploiting vulnerabilities. It also appears its developers were people with access to Flamer source code, unlike later versions built on the Tilded platform.

“The existence of unrecovered versions of Stuxnet, both before version 0.5 and especially between versions 0.5 and 1.001, are likely,” according to a Symantec blog post.

As ISSSource reported back in October 2011, Stuxnet was a comprehensive U.S.-Israeli program designed to disrupt Iran’s nuclear technology. This joint program first surfaced in 2009 and worked in concert with an earlier U.S. effort that consistently sabotaged Iran’s purchasing network abroad.

The groundwork for the attack plan began much earlier though. In 2007, Idaho National Laboratory (INL) inked a development contract with Siemens the purpose of which was to help Siemens study its own computer weaknesses, the sources said. Quite a few suppliers have these types of pacts with INL to test platforms to find and resolve weaknesses.

Wednesday, October 5, 2011 @ 04:10 PM gHale

By Richard Sale
Stuxnet had its true origin in the waning moments of George W. Bush’s presidency in 2009, said former senior intelligence officials, one of whom worked for the National Intelligence office.

At the time, President Bush wanted to sabotage the electrical and computer systems at Natanz, which is a fuel enrichment plant in Iran. After Bush left office, President Barack Obama accelerated the program, these sources said.

The groundwork for the plan began much earlier though. In 2007, Idaho National Laboratory (INL) inked a development contract with Siemens the purpose of which was to help Siemens study its own computer weaknesses, the sources said. Quite a few suppliers have these types of pacts with INL to test platforms to find and resolve weaknesses.

RELATED STORIES
U.S. to Israel: Don’t Hit Iran Nuclear Sites Alone
Iran Creating Counter to Stuxnet
Stuxnet Report IV: Worm Slithers In
Stuxnet Report V: Security Culture Needs Work
Stuxnet Effect: Iran Still Reeling

In 2008, shortly after Siemens brought in the system for analysis, the Department of Homeland Security got wind of it and teamed with INL to study Siemens PCS 7 or Step 7 platform which runs all sorts of sensors and machines in the process control system, the sources said.

As it turned out the system they were testing was also the same system running the nuclear enrichment plant in Natanz.

Meanwhile, while that analysis was going on, and after much consultation and research, U.S. intelligence officials decided the new target was going to be the P1, a machine for enriching uranium, which was used by Pakistan to manufacture its nuclear bomb. It was also being used in Iran at the Natanz facility. While the P1 centrifuge, which uses an aluminum rotor, can be made without gathering much attention, they can be very difficult to put together.

The United States got a batch of P1’s when Libya gave up its nuclear program in 2003. In 2004, nuclear and computer experts, assembled by the CIA, began to study the P1’s weaknesses, which were “glaring,” one of the sources said.

While they are not sure of the time frame, the sources said Israel at some point also got a hold of one P1. Shortly thereafter, Israel soon had row upon row of P1’s at its Dimona Research Center, which has been the chief site for development of Israel’s nuclear weapons including its Jericho intermediate range missile. They became the “real masters,” of the P1’s centrifuge technology, these sources said.

Stuxnet is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC and PCS 7 control systems. The worm used known and previously unknown vulnerabilities to install, infect and propagate, and was powerful enough to evade state-of-the-art security technologies and procedures.

The worm used at least four zero-day exploits and had Microsoft Windows driver modules signed using genuine cryptographic certificates stolen from respectable companies, contained about 4,000 functions, and utilized advanced anti-analysis techniques to render reverse engineering difficult.

The goal of Stuxnet was to attack hit Iran’s uranium enrichment facility at Natanz, 160 miles south of Tehran. That plan worked as the virus worked its way through the Siemens system and manipulated the arrays of centrifuges, which do the enriching, to self-destruct.

The attack hurt Iran’s nuclear program, which Israel and the United States say is to produce nuclear weapons. Tehran denies that.

A separate source from the Defense Intelligence Agency (DIA) confirmed Stuxnet was a U.S.-Israel program attacking Siemens’ hardware. An additional senior official at DIA said Stuxnet could now be considered a potential weapon of mass destruction (WMD). Both DIA officials requested anonymity.

As a result of Stuxnet, Iran is now in the process of working on a counter to the worm that hit their nuclear enrichment facility causing serious damage over the past few years, said a former CIA official and current Middle East security consultant close to the situation.

Additionally, while the worm still exists in Iran’s nuclear system, cyber experts have found a way to bypass it, said the source who spoke on the condition of anonymity.

Whether the Iranians are working on a counter to strike the various governments they feel are involved or are planning a similar attack on industrial control system are unknown at this time, the sources said.

While the political issues continue to volley back and forth, one of the key lessons from the attack is if someone remains focused and dedicated to get into your system, an attack will happen. It is just a matter of how well a manufacturer can defend that system.

Stuxnet was pure sabotage, security experts have said.

As mentioned, Stuxnet infected systems by exploiting vulnerabilities on Microsoft Windows. Uploaded to the computer through, among other things, a USB drive, shared network files, or SQL databases, Stuxnet targeted Siemens SIMATIC WinCC and PCS 7 control systems.

If this software is running, Stuxnet looked for a particular configuration of industrial equipment and then launched an attack designed to manipulate certain microcontrollers to perform erratically while reporting normal functioning to operators of the system.

Among the zero-day vulnerabilities, it exploited the AutoRun functionality on Windows to infect computers from USB drives. It then used a hardcoded default password for Siemens management application to compromise the machine before taking over the specialized industrial-control computers that ran a proprietary operating system from Siemens.

The worm also hijacked the facility’s monitoring system to falsely show the machines were functioning normally, preventing officials from catching on to what was really happening.

From an industrial control system standpoint, Stuxnet showed just how complex and interconnected a typical control system is. Potential pathways exist right from the outside world, through the Enterprise Control Network and down to the process controllers.

Because of this complexity, Stuxnet had many possible pathways to get to its target process.

In one attack vector, an infected USB storage drive could have first compromised one of the Support Stations and gained direct entrance to Perimeter or Process Control networks. (Support Stations connecting via the Back-Firewall will have a trusted connection to the Process Control Network, whereas the Support Stations connecting via the Front-Firewall typically only get access to the semi-trusted Perimeter Network.) Alternatively, a PLC programming laptop, used and infected at another site, might have gone directly into the Control Network and used to program the target PLCs. In these situations, the worm would have completely circumvented quite a few of the security controls proposed by the Siemens’ Security Concept documents.

While the worm remains persistent and Iranians are finding it difficult to eradicate it, cyber experts there have found a way to bypass it, one source said.

The end result of the Stuxnet attack, though, as reported in an August ISSSource.com dispatch, Iran is still replacing thousands of expensive damaged centrifuges.

One report by the news organization, DEBKAfile, had Iran replacing an estimated 5,000 centrifuges to remove the threat.

Iran may have had 8,700 centrifuges in operation at the Natanz facility when Stuxnet hit sometime in 2009. International Atomic Energy Agency officials said up to 25 percent of those centrifuges were inoperable as of January 2010.

The Institute for Science and International Security released a report in February that said there was limited damage caused to Iran’s uranium enrichment program. Sources told DEBKAfile the opposite. The source said Iran’s nuclear operations will never return to “normal operation.”

In following the worm’s path, security experts believe Stuxnet came about to target and then disable Iran’s nuclear enrichment facilities.

When asked directly in a CNBC documentary that aired May 26 whether the United States was involved with creating Stuxnet, Deputy Defense Secretary William Lynn declined to deny or confirm the charge. “And this is not something that we’re going to be able to answer at this point,” Lynn said.

While it was not the first attack against an industrial control system, the sophistication and power of the attack means manufacturing automation companies, not to mention countries around the world, need to beef up their cyber security capabilities.

While Stuxnet specifically targeted Siemens industrial process control computers used in nuclear centrifuge operations, other industrial process automation and control systems are open for attack. That means network operators have to assess their threat exposure level and how to mitigate it.

Richard Sale was United Press International’s Intelligence Correspondent for 10 years and the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars and Traitors.

Thursday, February 24, 2011 @ 09:02 AM gHale

EDITOR’S NOTE: Stuxnet was elegant in its sophistication and then quietly moved and evolved over a period of time while buried deep within a system. Make no mistake about it, though, this was a vicious attack on an industrial control system with the intent to destroy. While there has been some resolution as to the masterminds behind the attack, understanding how the worm was able to infiltrate a secure control system remains a top priority. Security professionals Eric Byres, Andrew Ginter and Joel Langill teamed to publish a white paper entitled “How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems.” This is the first part in a series of stories detailing just how the Stuxnet worm was able to penetrate a system, and how automation professionals can keep an eye out for the next type of attack.

By Eric Byres, Andrew Ginter and Joel Langill
Stuxnet is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC and PCS 7 control systems. The worm used known and previously unknown vulnerabilities to install, infect and propagate, and was powerful enough to evade state-of-the-art security technologies and procedures.

Since its discovery, there has been extensive analysis of Stuxnet’s internal workings. What has not been discussed is how the worm might have migrated from the outside world to supposedly isolated and secure industrial control systems (ICS). Understanding the routes that a directed worm takes as it targets an ICS is critical if automation professionals want to close off these vulnerable pathways to future worms.

To help address this gap, this series of stories will talk about the system under attack, describe a hypothetical industrial site that follows the high security architecture and best practices defined in vendor documents, how Stuxnet can slither its way through defenses to take control of the process and cause physical damage, and what did automation professionals learn from the analysis of pathways in order to prevent infection from future ICS worms.

Part I: Stuxnet attacked the Siemens SIMATIC PCS 7; Why that system?
Part II: How did Stuxnet infect a system?
Part III: A “high security site” targeted by Stuxnet or the Next Gen of Stuxnet-like worms.
Part IV: How Stuxnet infected a minor computer and then got deep inside a control system.
Part V: What should this mean for security of industrial control systems in the future?
Download the complete White Paper at Tofino Security.
Talk to Me: Stuxnet: Joint Operation Nets Victim

This analysis works off an accepted best practice security model. Unfortunately, this model does not often see use because system architectures in the real world are typically much less secure.

What we found researching Stuxnet and what you will learn over this series is:

  • A modern ICS or Supervisory Control and Data Acquisition (SCADA) system is highly complex and interconnected, resulting in multiple potential pathways from the outside world to the process controllers.
  • Assuming an air-gap between ICS and corporate networks is unrealistic, as information exchanges are essential for process and business operations to function effectively.
  • All mechanisms for transfer of electronic information (in any form) to or from an ICS must undergo evaluation security risk. Focusing security efforts on a few obvious pathways (such as USB storage drives or the Enterprise/ICS firewall) is a flawed defense.
  • Industry must accept the complete prevention of ICS infection is probably impossible and that instead of complete prevention, industry must create a security architecture that can respond to the full life cycle of a cyber breach.
  • Industry must address the containment of attacks when prevention fails and aggressively segment control networks to limit the consequences of compromise. In particular, securing last-line-of-defense critical systems, such as safety integrated systems (SIS), is essential.
  • Combining control and safety functionality in highly integrated ICS equipment exposes systems to common-cause security failures. For critical systems, diversity is important.
  • Providing security by simply blocking or allowing entire classes of protocols between manufacturing areas is no longer sufficient. Stuxnet highlights the need for the deep packet inspection (DPI) of key SCADA and ICS protocols.
  • The Remote Procedure Call (RPC) protocol is an ideal vector for SCADA and ICS attacks because it sees use for so many legitimate purposes in modern control systems.
  • Industry should start to include security assessments and testing as part of the system development and periodic maintenance processes in all ICS.
  • There is a need to improve the culture of industrial security among  management and technical teams.

If the critical infrastructures of the world are to be safe and secure, then the owners and operators need to recognize that their control systems are now the target of sophisticated attacks. Improved defense-in-depth postures for industrial control systems are needed urgently. Thinking this was a once in a lifetime attack would be incorrect, so waiting for the next worm may be too late.

Some products in the Siemens SIMATIC line, including PLCs, operator stations and engineering stations.

Some products in the Siemens SIMATIC line, including PLCs, operator stations and engineering stations.


Undetected Paths
Since the discovery of the Stuxnet worm in July 2010, there has been extensive analysis by Symantec, ESET, Langner and others of the worm’s internal workings and the various vulnerabilities it exploits. Understanding the design of the worm helps antivirus product vendors make better malware detection software.

But the question of how the worm was able to migrate from the outside world to a supposedly isolated and secure industrial control system is what this analysis is all about. To the owners and operators of industrial control systems, this matters. Other worms will follow in Stuxnet’s footsteps and understanding the routes a directed worm takes as it targets an ICS is critical. Only by understanding the full array of threats and pathways into a SCADA or control network can critical processes be truly secure.

It is easy to imagine a trivial scenario and the corresponding solution:

Scenario:
Joe finds a USB flash drive in the parking lot and brings it into the control room where he plugs it into the PLC programming station.

Solution: Ban all USB flash drives in the control room.

While this may be a possibility, it is far more likely that Stuxnet traveled a circuitous path to its final victim. Certainly, the designers of the worm expected it to – they designed at least seven different propagation techniques for Stuxnet to use. This is why we conducted a more realistic analysis of penetration and infection pathways.

This analysis addresses this gap by analyzing a range of potential “infection pathways” in a typical ICS. Some of these are obvious, but others less so. By shedding light on the multitude of infection pathways, we hope the designers and operators of industrial facilities can take the appropriate steps to make control systems much more secure from all threats.

Core functional components of the Siemens SIMATIC PCS 7 control system.

Core functional components of the Siemens SIMATIC PCS 7 control system.

Understanding the Siemens PCS 7
In order to understand the attack Stuxnet performed against its victim, you have to understand Siemens ICS systems. Thus a brief overview of the Siemens SIMATIC PCS 7 architecture is in order. We will start few general terms:

  • SIMATIC is a comprehensive term used by Siemens, which includes their portfolio of industrial automation solutions ranging from machine vision to distributed I/O systems and programmable controllers.
  • SIMATIC WinCC is a process visualization system that comprises the core SCADA system. It works with Siemens-branded control equipment, such as the S7 line of programmable logic controllers (PLC) or it act independently with control products from other vendors.
  • The SIMATIC STEP 7 software environment is specifically for the configuration and programming of the Siemens S7 line of controllers.
  • SIMATIC PCS 7 is an integrated solution, composed of S7 PLC’s, WinCC visualization software, and the STEP 7 configuration software.

Now to understand the SIMATIC PCS 7 system; it is important to separate the functional components called “systems” from their platform components that commonly carry names like “stations” or “servers.” The basis of the SIMATIC PCS 7 control system breaks into three functional components:

• Operator System (OS)

• Automation System (AS)

• Engineering System (ES)

The Operator System (OS) permits the secure interaction of the operator with the process under control of PCS 7. The Operator System architecture is highly flexible, but always consists of a client and server function, which can work on the same or separate physical platforms.

The Automation System (AS) is the name given to the class of programmable logic controllers (PLC) used with PCS 7. This includes the Microbox solution based on a software controller running on a standard computer, and the S7-300 and S7-400 lines of hardware controllers.

The Engineering System (ES) consists of software responsible for configuring the various PCS 7 system components. The ES is further broken down into the engineering software required to configure either the Operator System (OS) or Automation System (AS).

With that behind us, we can focus on the software and platform components which are the main players in the SIMATIC PCS 7 system:

  1. OS Server: The OS Server is one of the two components utilized within the PCS 7 Operator System. The OS Server accesses system level information from the AS components (i.e. the controllers) and provide all process data to OS Clients. The OS Server also works for data collection and archival. However, you can only retrieve this data on OS Clients. OS Servers connect to the Process Control Network (sometimes called the “terminal bus”) and the Control System Network (or “plant bus”). The AS controllers also connect to the Control System Network.
  2. OS Client: The OS Client is the operator terminal that receives data from one or more OS Servers. The OS Server and OS Client may be installed on the same hardware platform in smaller systems, or distributed into a true client-server configuration on larger configurations. OS Clients connect to the Process Control Network.
  3. WinCC Server: The WinCC Server is the second major component in the Operator System. It acts as the core server for the Human Machine Interface client/server system, allowing multiple, coordinated HMI client stations to operate together with process data, archive data, messages, screens and reports. The WinCC Server, like the OS Servers, connects to the Process Control Network and the Control System Network.
  4. WinCC Client: The WinCC Client is part of the general-purpose WinCC SCADA visualization package used to provide monitoring and control of a particular manufacturing process. When installed with other PCS 7 and OS components, it provides an integrated automation solution incorporating reliable communications, diagnostics functions, and integrated engineering activities. In a typical system, the WinCC client is installed on the same hardware platform as the OS Client, and connects to the Process Control Network.
  5. Web Navigation Server: The Web Navigation Server provides the capability to monitor and control the process from external workstations interconnected via an Enterprise Control Network like a company Intranet (or even the Internet) using standard browser technology. The Web Navigation Server is installed on a WinCC Server that manages the connection to the PCS 7 system. The Web Navigation Server connects to the Perimeter Network.
  6. OS Web Server: The OS Web Server provides the ability to access PCS 7 information remotely functioning in a similar fashion to the Web Navigation Server. Unlike the clients using the Web Navigation Server for access to visualization displays of the underlying PCS 7 system, the OS Web Server provides standard Internet access to PCS 7 data functions like process values, archives, alarms and messages, historical trend data, etc. This may include connections from systems such as Manufacturing Execution Systems (MES) or Enterprise Resource Planning (ERP) systems that reside on the Enterprise Control Network. The OS Web Server connects to the Perimeter Network.
  7. CAS Server: The Central Archive Server (CAS) provides central data management and long-term data archival. This data is then accessible on local PCS 7 OS stations (OS Client, WinCC Client) on the Process Control Network and external workstations on the Enterprise Control Network using a standard Internet browser. The CAS Server connects to the Perimeter Network.
  8. Engineering Station: An Engineering Station can either connect to the Process Control Network, or it can reside remotely as a Support Station. This platform contains all PCS 7 client software components, including the OS Client, WinCC Client, and STEP 7 configuration tools.

This is a basic overview of how a Siemens PCS 7 system is defined.

Part II will explore Stuxnet itself and the tools it had it its arsenal to attack a PCS7 system.

Eric Byres, P. Eng., ISA Fellow, is the chief technology officer at Byres Security Inc. (eric@byressecurity.com); Andrew Ginter, CISSP, is the chief technology officer at Abterra Technologies (aginter@abterra.ca) and Joel Langill, CEH, CPT, CCNA, is the chief security officer at SCADAhacker.com (joel@scadahacker.com) and Dept. of Critical Infrastructure Officer with The Cyber Security Forum Initiative (csfi.us).

Wednesday, September 22, 2010 @ 12:09 PM gHale

By Gregory Hale
Stuxnet just won’t go away as Microsoft said the worm exploited four additional zero day flaws, and two of those four remain unpatched.
Now the speculation begins with experts saying various facilities, including a nuclear reactor in Iran or a nuclear enrichment facility also in Iran were among the targets. No one has confirmed those were the actual targets, officials said.
“Security experts agree that the purpose of the worm is sabotage of an industrial process,” said Andrew Ginter, chief security officer at Industrial Defender. “The details that have been released regarding the design of the worm no longer support the theory that the purpose was information theft.”
“Whoever designed this knew what they were doing,” said Eric Byres, chief technology officer at Byres Security. “It is pretty clear now it was developed to disable a process and destroy equipment.”

Related stories:
Complex Attack, But Focused Target
Classic Hacker Case: Maroochy Shire

Exploring Stuxnet’s PLC Infection Process

Siemens learned about the malware program (Trojan) targeting the Siemens software Simatic WinCC and PCS 7 on July 14. The company immediately formed a team to evaluate the situation and worked with Microsoft and the distributors of virus scan programs, to analyze consequences and the exact mode of operation of the virus.
The Trojan, which spreads via USB sticks and uses a Microsoft security breach, can affect Windows computers from XP upward.
According to analysis of the worm from Siemens, the virus can theoretically influence specific processes and operations in a very specific automation environment or plant configuration in addition to passing on data. This means the malware is able, under certain boundary conditions, to influence the processing of operations in the control system. However, this behavior has not yet been verified in tests or in practice.
Also, the behavioral pattern of Stuxnet suggests the virus is apparently only activated in plants with a specific configuration, Siemens said. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process. This pattern can, for example, be localized by one specific data block and two code blocks.
This means Stuxnet is obviously targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications, according to the Siemens analysis.
This conclusion also coincides with the number of cases known to Siemens where the virus was detected but had not been activated, and could be removed without any damage being done up to now. This kind of specific plant was not among the cases that we know about.
To date, Siemens said 15 systems were infected worldwide. In none of these cases did the infection cause an adverse impact to the automation system, Siemens said.
“To find one zero day is rare, but to come up with four zero days and to steal certificates and to find and exploit flaws in Siemens code is amazing,” Byres said. “It is an amazing professional project. Absolutely no one person could do this.”
“We are in a weapons race here,” Byres said. “This is a crash lesson for everybody on how to recognize malware.”
“The consensus out there is this was a weapon,” Ginter said. “There is a lot of technology in Stuxnet. It has a lot of stuff in it. Now it looks like somebody’s infrastructure has been targeted. It has been proven it can be done; who else will pick up on it? We will see other attacks like this.”
“Everyone gets hung up on the payload, and how it wrapped itself around some key WinCC drivers,” said Joel Langill, security consultant and staff engineer at ENGlobal Automation Group. “It is a brilliant piece of malicious code, but that is not the only thing that this malware has demonstrated. It has shown that the overall security posture of control systems still tends to be weak in addressing cyber threats.
In a blog post last week, Alexander Gostev, who heads the Global Research and Analysis Team at Kaspersky Lab, said “Until now, most of the focus has been on the LNK/PIF vulnerability which Stuxnet exploits in order to spread via removable storage media and networks. But this has turned out not to be Stuxnet’s only surprise. The worm doesn’t just spread by using the LNK vulnerability. Once it’s infected a computer on a local network, it then attempts to penetrate other computers using two other propagation routines.
“Firstly, Stuxnet is designed to exploit MS08-067, the same vulnerability used by Kido (aka Conficker) at the beginning of 2009. The exploit code that Stuxnet uses to target MS08-067 is slightly different to that used by Kido. However, what’s really interesting is the second propagation routine.
“In addition to exploit code for MS08-067, Stuxnet contains an exploit for a previously unidentified vulnerability in the Print Spooler service; this vulnerability makes it possible for malicious code to be passed to, and then executed on, a remote machine. Two files (winsta.exe and sysnullevent.mof) appear on attacked systems. It’s not just the way in which the malicious code gets on to the remote machine which is interesting, but also how the code then gets launched for execution.
“As soon as we identified the vulnerability we informed Microsoft about the problem and they confirmed our findings. The vulnerability has been identified as “Print Spooler Service Impersonation Vulnerability” and rated “critical”. Today Microsoft released MS10-061, a patch which fixes this vulnerability.
“Analysis of the vulnerability shows computers with shared access to a printer are at risk of infection.
“During analysis, we searched our collection for other malicious programs capable of using this vulnerability. Happily, we didn’t find anything.
“On top of all this, we’ve identified yet another zero-day vulnerability in Stuxnet’s code, this time an Elevation of Privilege (EoP) vulnerability. The worm uses this to get complete control over the affected system. A second EoP vulnerability was identified by Microsoft personnel, and both vulnerabilities will be fixed in a security bulletin in the near future.
“The fact that Stuxnet uses four previously unidentified vulnerabilities makes the worm a real standout among malware. It’s the first time we’ve come across a threat that contains so many “surprises”. Add to this the use of Realtek and JMicron certificates, and remember that Stuxnet’s ultimate aim is to access Simatic WinCC SCADA systems.
“Stuxnet was undoubtedly created by professionals who’ve got a thorough grasp of antivirus technologies and their weaknesses, as well as information about as yet unknown vulnerabilities and the architecture and hardware of WinCC and PSC7.”
The worm that hit Siemens’ Simatic WinCC and PCS 7 users has been around for over a year and at the beginning of the new year its creators made it more sophisticated, officials said.
A Symantec researcher said they identified an early version of the worm created in June 2009, but it wasn’t until early this year when the malicious software became much more intense.
This earlier version of Stuxnet acts in the same way as its current incarnation; it tries to connect with Siemens’s management systems and steal data, but it does not use some of the newer worm’s techniques to evade antivirus detection and install itself on Windows systems.
The amount of components and code used is very large, in addition to this the authors ability to adapt the threat to use an unpatched vulnerability to spread through removable drives shows the creators of this threat have huge resources available to them and have the time needed to spend on such a big task; this is most certainly not a “teenage-hacker-coding-in-his-bedroom” type operation, Symantic researchers said.
After Stuxnet came to life, its authors added new software that allowed it to spread among USB devices with virtually no intervention by the victim. And they also got their hands on encryption keys belonging to chip companies Realtek and JMicron and digitally sign the malware so antivirus scanners would have a harder time detecting it.

Tuesday, July 20, 2010 @ 04:07 PM gHale

There is only one known case of infection on the malware attack of Siemens’ Simatic WinCC and PCS 7and the company is trying to find out whether the virus caused any damage, a Siemens spokesman said Tuesday.
Siemens is continuing to ramp its investigation as to why and how this attack targeted only the Siemens products.
It seems the software/malware was coded to detect Siemens WinCC and PCS7 programs and their data, said Michael Krampe, director of media relations at Siemens Industry Inc. The company is also investigating who or what was behind the attack, he said.
To date, Krampe said, based on current information, the only platforms that may be affected are those where access to data or the operating system is possible via a USB interface.
Normally every plant operator ensures, as part of the security concept, that non-restricted access to critical SCADA system data via a USB interface is not possible, Krampe said. Additional protective devices like firewalls and virus scanners can also prevent Trojans/viruses from infiltrating the plant.
Siemens learned about the malware program (Trojan) targeting the Siemens software Simatic WinCC and PCS 7 on July 14. The company immediately assembled a team of experts to evaluate the situation and worked with Microsoft and the distributors of virus scan programs, to analyze consequences and the exact mode of operation of the virus.
The Trojan, which spreads via USB sticks and uses a Microsoft security breach, can affect Windows computers from XP upward.
Siemens has now established through its own tests the software is capable of sending process and production data via the Internet connection it tries to establish. However, tests have revealed this connection is not completed because the communication partners/target servers are apparently inactive. As part of the ongoing analysis, Siemens is checking to see whether the virus is able to send or delete plant data, or change system files.
Currently, there is only one known case in Germany of infection which did not result in any damage. Siemens officials said they do not have any indication that WinCC users in other countries have been affected.
Three virus scan programs from Trend Micro, McAfee and Symantec can detect the Trojan.
Based on current information, the only platforms that may be affected are those where access to data or the operating system is possible via a USB interface.
Normally every plant operator ensures, as part of his security concept, that non-restricted access to critical SCADA system data via a USB interface is not possible. Additional protective devices like firewalls and virus scanners can also prevent Trojans/ viruses from infiltrating the plant.
The following solutions are under development:
• Microsoft will offer an update (patch) that will close the security breach at the USB interface.
• Suppliers of virus scanning programs have prepared up-to-date virus signatures currently being tested by Siemens. The virus scanners will be able to help detect and eliminate the virus.
• Siemens is also developing a software tool that customers can use to check a Windows PC and determine if it has been infected by the virus. The tool will be distributed via the Siemens Advisory:
English
German
Siemens will also be providing a Simatic Security Update with all the necessary functions.
Siemens is saying users should not use any USB sticks and then install updates as soon as they become available.
The objective of the malware appears to be industrial espionage in an effort to steal intellectual property from SCADA and process control systems, said Eric Byres, chief technology officer at Byres Security. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.
Microsoft has issued a security advisory which, it says, affects all versions of the Windows operating system, including Windows 7. The company has seen the bug exploited only in limited, targeted attacks, Microsoft said.

Monday, July 19, 2010 @ 05:07 PM gHale

The following is an update from Siemens regarding the malware attack on Simatic WinCC and PCS 7:
“Siemens learned about the malware program (Trojan) targeting the Siemens software Simatic WinCC and PCS 7 on July 14. The company immediately assembled a team of experts to evaluate the situation and is working with Microsoft and the distributors of virus scan programs, to analyze the likely consequences and the exact mode of operation of the virus.
“It has so far been established the Trojan, which spreads via USB sticks and uses a Microsoft security breach, can affect Windows computers from XP upward.
“Siemens is taking all precautions to alert its customers to the potential risks of this virus. We have reached out to our sales team and will also speak directly to our customers to explain the circumstances. We are urging customers to carry out an active check of their computer systems with WinCC installations. There are already three virus scan programs recommended for Siemens systems from Trend Micro, McAfee and Symantec, the latest versions of which can detect the Trojan. The effect of deploying these programs on the runtime environment are currently being analyzed and an approval will be issued shortly.
“Additional Information:
• Siemens was notified about a security breach within Microsoft Windows which could potentially affect Simatic WinCC and PCS7.
• The following has so far been established: A malware program (Trojan), which spreads via USB sticks and uses a Microsoft security breach, is targeting the Siemens software Simatic WinCC and PCS 7. Just viewing the contents of the USB stick can activate the Trojan. Siemens recommends avoiding the use of a USB stick.
• The malware can infect any Windows computer from XP upward. According to the latest analyses, once infected, several fragments of the Trojan discharge themselves. The effects of this have not been fully analyzed yet, however; according to the latest information, the Trojan searches the infected computers specifically for installations of Simatic WinCC and PCS 7.
• Siemens experts are working with Microsoft and the distributors of virus scan programs, to analyze the likely consequences and the exact mode of operation of the virus.
• At the same time Siemens has started to develop a solution, which can identify and systematically remove the malware.
• There are already three virus scan programs recommended for Siemens systems from Trend Micro, McAfee and Symantec, the latest versions of which can detect the Trojan. The effect of deploying these programs on the runtime environment are currently being analyzed and an approval will be issued shortly.”

 
 
Archived Entries