• Newsletters
  • INDUSTRY PERSPECTIVES
  • TECHNICAL RESOURCES
  • WEBINARS
  • SUBSCRIBE
  • CP Journey
    1. Safety/Security
    2. Security

    Potentially Serious Threat Targets Control Systems

    July 22, 2010
    Threats appear to be directed specifically at Siemens WinCC and PCS7 products via a previously unknown Windows vulnerability.

    According to Byres Security Inc., a new family of threats called Stuxnet appears to be directed specifically at Siemens WinCC and PCS7 products via a previously unknown Windows vulnerability.  Byres also discovered a concerted Denial of Service attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists, knocking at least one of these services off line.

    Eric Byres, P.E., and Chief Technology Officer of Byres, offers these facts:

    • This is a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008  and Windows 7.
    • There are no patches available from Microsoft at this time (There are workarounds, which I will describe later).
    •  This malware is in the wild and probably has been for the past month.
    • The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products.
    • The malware is propagated via USB key. It may be also be propagated via network shares from other infected computers.
    •  Disabling AutoRun does not help! Simply viewing an infected USB using Windows Explorer will infect your computer.
    • The objective of the malware appears to be industrial espionage; i.e. to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.

    The only known workarounds  are:
    • NOT installing any USB keys into any Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not
    • Disable the displaying of icons for shortcuts (this involves editing the registry)
    • Disable the WebClient service

    Byres and his team have written a short white paper called “Analysis of Siemens WinCC/PCS7 Malware Attacks.” www.tofinosecurity.com/professional/siemens-pcs7-wincc-malware . If you would like to download the white paper, you will need to register on the website. Byres notes that the whitepaper is in a secure area. People who are already www.tofinosecurity.com web members do not need to reregister.

    Continue Reading

    Sponsored Recommendations

    Keys to Improving Safety in Chemical Processes (PDF)

    Many facilities handle dangerous processes and products on a daily basis. Keeping everything under control demands well-trained people working with the best equipment.

    Get Hands-On Training in Emerson's Interactive Plant Environment

    Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

    Managing and Reducing Methane Emission in Upstream Oil & Gas

    Measurement Instrumentation for reducing emissions, improving efficiency and ensuring safety.

    Micro Motion 4700 Coriolis Configurable Inputs and Outputs Transmitter

    The Micro Motion 4700 Coriolis Transmitter offers a compact C1D1 (Zone 1) housing. Bluetooth and Smart Meter Verification are available.

    Latest from Security

    Most Read

    Sponsored