An industrial security expert is warning users of Siemens WinCC SCADA system and PCS7 process control software of “a potentially serious threat” to their systems. Eric Byres, chief technology officer of US-based Byres Security, says that his team has been investigating a family of threats called Stuxnet that appear to be aimed specifically at the Siemens products via a previously unknown Windows vulnerability.

At the same time, there has been a concerted “denial of service” attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists, knocking at least one of these services offline.

According to Byres, the objective of the malware appears to be industrial espionage – to steal intellectual property from SCADA and process control systems. The malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.

The facts, as best as he can determine, are that:
♦ This is a zero-day exploit against all versions of Windows including XP, Server, Vista and Windows 7.
♦ There are no patches available from Microsoft yet, although there are workarounds.
♦ The malware has probably been “in the wild” for the past month.
♦  The known variations of the malware are specifically directed at Siemens WinCC and PCS7 products.
♦  The malware is propagated via a USB stick. It may be also be propagated via network shares from other infected computers.
♦ Disabling AutoRun does not help. Simply viewing an infected USB key using Windows Explorer will infect a computer.

The only known workarounds are:
♦ Not installing any USB keys into any Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not;
♦ Disabling the displaying of icons for shortcuts (this involves editing the registry);
♦ Disabling the WebClient service

According to a report on the Bloomberg BusinesWeek Web site, Siemens in the US has sent an email to its customers warning them of the cyber-threat which it learned about on 14 July. The company has assembled a team of experts to evaluate the situation.

Siemens Industry spokesman Michael Krampe is quoted as saying: "We are urging customers to carry out an active check of their computer systems with WinCC installations and use updated versions of anti-virus software in addition to remaining vigilant about IT security in their production environments."

Microsoft has issued a security advisory warning of the issue which, it says, affects all versions of the Windows operating system, including its latest Windows 7. The company has seen the bug exploited only in limited, targeted attacks, Microsoft said.

According to a German security analyst, Frank Boldewin, once an infected USB key has been inserted, the virus scans for a Siemens WinCC system or another USB device. It copies itself to any USB device it finds. If it detects the Siemens software, it immediately tries to log in using a default password.

To get around Windows systems that require digital signatures, the virus uses a digital signature assigned to semiconductor maker Realtek. The virus is triggered anytime a victim tries to view the contents of the USB stick.

Wesley McGrew, a US security expert quoted by BusinessWeek, suggests that the virus-writer may have been targeting a specific installation. If the writers had wanted to break into as many computers as possible, they would have tried to exploit more popular SCADA management systems such as Wonderware or RSLogix, he says.

McGrew suggests that the reason for developing the virus might have been for ransom. “Maybe you take over a SCADA system and you hold it hostage for money,” he told BusinessWeek.

According to Eric Byres, his team has attempted to extract and summarise all the relevant data (as of late on 17 July) and assemble it in a short white paper called Analysis of Siemens WinCC/PCS7 Malware Attacks which he has posted on his Web site in a secure area. To download the white paper, you need to register on the Web site. Byres says he will approve registrations as fast as he can. He has chosen to keep the white paper in a secure area because he does not want this information to reach people that do not need to know and might not have the industry’s best interests at heart. Members of Tofino Security’s Web site do not need to re-register

♦  In a statement, Siemens in Germany has told Drives and Controls: "We are currently pursuing the detailed analysis of the emerged malware together with experts from the security community to determine how this relates to the WinCC or PCS 7 software. Our specialists work on a solution at full stretch and we will inform you as soon as possible about new results."