Siemens Control Systems in Cyber Security Scare

On Monday July 19, industrial cyber security expert Eric Byres of Byres Security revealed the existence of a new family of threats called Stuxnet that appears to be aimed at Siemens SCADA and process control system products via a previously unknown Windows vulnerability.

According to Byres, the known variations of the malware are specifically directed at Siemens WinCC and PCS7 products, with the malware being propagated via USB key. It may be also be propagated via network shares from other infected computers.

"The objective of the malware appears to be industrial espionage; i.e. to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens," said Byres.

Speaking to Control Engineering Asia yesterday (July 20), Byres further elaborated: "What is really interesting is that that this is the first public case of malware focused specifically on a control system. Usually control systems were just collateral damage from IT-focus viruses. Now SCADA is a target.

"Engineers also need to understand that the Stuxnet malware is designed to infect (and will) any Windows platform, not just ones running Siemens software. Once the PC is infected, the effects and further attacks are determined by a series of encrypted "data blobs" that are loaded into the PC’s memory.

"The blobs decoded so far target Siemens products. There is no reason they could not go after other products, especially if the writer knows any default passwords. I am aware of at least one other variation of Stuxnet that has not been decrypted."

Meanwhile, Siemens has issued the following statement:

"Immediately upon notification of the virus on July 14, Siemens assembled a team of experts to evaluate the situation and began working with Microsoft and the distributors of virus scan programs to analyze the virus.

"The Trojan/virus is spread via a USB stick, using a security breach in Microsoft Windows. The virus, which affects operating systems from XP upward, detects Siemens WinCC and PCS7 programs and their data.

"Siemens has now established through its own tests that the software is capable of sending both process and production data via the Internet connection it tries to establish. However, tests have revealed that this connection is not completed because the communication partners/target servers are apparently inactive. As part of the ongoing analysis, Siemens is checking to see whether the virus is able to send or delete plant data, or change system files.

"We are informing our customers and investigating how many systems could be affected. Currently, there is only one known case in Germany of infection which did not result in any damage. We do not have any indication that WinCC users in other countries have been affected.

"What platforms are affected/may be affected? Based on current information, the only platforms that may be affected are those where access to data or the operating system is possible via a USB interface. Normally every plant operator ensures, as part of his security concept, that non-restricted access to critical SCADA system data via a USB interface is not possible. Additional protective devices like firewalls and virus scanners can also prevent Trojans/ viruses from infiltrating the plant."