Stuxnet Attack: An Industry Perspective

Thursday, July 29, 2010 @ 03:07 PM gHale

Users can’t just throw technology at a cyber attack, they have to have a well thought out plan that covers technology but also the people aspect to ensure a protected environment, said the panelists on a webinar Tuesday sponsored by security service provider, Industrial Defender.
The malware attack, labeled the Stuxnet worm, that struck Siemens’ Simatic WinCC and PCS 7 has heightened awareness of cyber security throughout the industry.
Patrick Miller, technical director NERC CIP practice at ICF International moderated the panel which included Eric Byres, chief technology officer at Byres Security; Dale Peterson, founder and director of the network security practice at Digital Bond; Mark Zanotti, vice president of engineering and chief technology officer at Lofty Perch, and Andrew Ginter, chief security officer at Industrial Defender.
On June 17, Ukranian anti-virus company VirusBlockAda discovered the Stuxnet worm. On July 15, security researcher Frank Boldewin decrypted the worm and found it targeted Siemens’ PCS 7 control systems. This attack put the industry on alert saying if it can happen here, it can happen anywhere.
Click here to download the Industrial Defender webinar. After downloading, you will have to undergo a free registration to listen to the webinar.
Less than two weeks after malware attack of Siemens’ Simatic WinCC and PCS 7, two German end users were able to detect the malware virus and were able to remove it with no damage to their plants.
Siemens released a tool last week that can detect and remove the virus and so far more than 3,000 users have downloaded the virus scanner to date. It is available to download at Siemens. In addition to the downloads, just about 50 end users have contacted us on the hotline to get general information, said Michael Krampe, director of media relations at Siemens Industry Inc.
The company is continuing its investigation into the origination of the virus, Krampe said.
It seems the software/malware had code that could detect Siemens WinCC and PCS7 programs and their data, Krampe said.
Based on current information, the only platforms that may be affected are those where access to data or the operating system is possible via a USB interface, Krampe said.
Normally every plant operator ensures, as part of the security concept, that non-restricted access to critical SCADA system data via a USB interface is not possible, Krampe said. Additional protective devices like firewalls and virus scanners can also prevent Trojans/viruses from infiltrating the plant.
Siemens learned about the malware program (Trojan) targeting the Siemens software Simatic WinCC and PCS 7 on July 14. The company immediately formed a team to evaluate the situation and worked with Microsoft and the distributors of virus scan programs, to analyze consequences and the exact mode of operation of the virus.
The Trojan, which spreads via USB sticks and uses a Microsoft security breach, can affect Windows computers from XP upward.
Siemens has now established through its own tests the software is capable of sending process and production data via the Internet connection it tries to establish. However, tests revealed this connection is not completed because the communication partners/target servers are apparently inactive. As part of the ongoing analysis, Siemens is checking to see whether the virus is able to send or delete plant data, or change system files.
Three virus scan programs from Trend Micro, McAfee and Symantec can detect the Trojan.
The objective of the malware appears to be industrial espionage in an effort to steal intellectual property from SCADA and process control systems, said Eric Byres, chief technology officer at Byres Security. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.
Microsoft has issued a security advisory which, it says, affects all versions of the Windows operating system, including Windows 7. The company has seen the bug exploited only in limited, targeted attacks, Microsoft said.

Leave a Reply

You must be logged in to post a comment.