Resources:
Siemens, www. usa.siemens.com

A malware program called Stuxnet recently made headlines when it attacked a piece of industrial software called WinCC. It may be the first instance of a software weapon aimed specifically at industrial control systems (ICS).

WinCC runs on Microsoft Windows and is the supervisory control and data-acquisition (Scada) system by Siemens, Washington, D. C., which controls valves, pipelines, and industrial equipment. WinCC lets programmers connect to the ICS’s PLC via a data cable to reconfigure its memory, download code and data, and debug previously loaded code.

Stuxnet exploits a security gap in Windows, infecting computers via USB sticks and shared folders. When the operator is using WinCC to program a PLC, the virus inserts a data block (DB) of assembly language bytecode — for instance, DB890 — into the PLC memory. From then on, the Trojan can intercept and modify read and write requests sent to the PLC from any programming package — and, under certain conditions, alter the behavior of the ICS. The virus hides the infection from the PLC programmer.

According to Siemens, it was notified about the Trojan in July and soon provided customers with a dowloadable tool that detects and removes the virus without influencing plant operations. In August, Microsoft closed the security breach in Windows, eliminating the threat of Stuxnet’s spreading uncontrolled through industrial settings. All the commonly used virus scanners, such as Trend Micro, McAfee, and Symantec, can now detect the Trojan.

From mid-July to late October, Siemens received reports on 16 Stuxnet infections in various plants, about one-third of which were in Germany. According to the company, it is not aware of any case where production operations were influenced or a plant failed. The virus has been removed in all cases known to Siemens.

However, to be on the safe side, Siemens has isolated Stuxnet on a test system to investigate it more closely. Tests have shown that it does not appear to be the random work of one hacker, but rather was developed by a team of experts. It is suspected that the team includes IT experts with engineering knowledge of industrial controls.

According to Siemens, the threat to industrial systems will remain uncertain until investigations into Stuxnet are complete. Siemens does not yet have any leads on the origin of the virus, but analyses are ongoing. For this reason, the company stresses the importance of securing IT systems and computers against virus attacks using the latest virus scanners and installing the most recent O/S patches.

© 2010 Penton Media, Inc.