A malware program called Stuxnet recently made headlines when it attacked a piece of industrial software called WinCC. It may be the first instance of a software weapon aimed specifically at industrial control systems (ICS).

WinCC runs on Microsoft Windows and is the supervisory control and data acquisition (Scada) system by Siemens, which controls valves, pipelines, and industrial equipment. WinCC lets programmers connect to the ICS’s PLC via a data cable to reconfigure its memory, download code and data, and debug previously loaded code.

Stuxnet exploits a security gap in Windows, infecting computers via USB sticks and shared folders. When the operator is using WinCC to program a PLC, the malware inserts a data block (DB) of assembly language bytecode, for instance, DB890, into the PLC memory. From then on, the Trojan can intercept and modify read and write requests sent to the PLC from any programming package – and, under certain conditions, alter the behavior of the ICS. The malware hides the infection from the PLC programmer.

According to Siemens, it was notified about the Trojan in July and soon provided its customers with a tool for download that detects and removes the virus without influencing plant operations. In August, Microsoft closed the security breach in Windows, eliminating the threat of the Trojan spreading uncontrolled through industrial settings. All of the main virus scanners such as Trend Micro, McAfee, and Symantec can now detect the Trojan.

From mid-July to late October, Siemens received reports on a total of 16 Stuxnet infections in various plants, about one third of which were in Germany. According to the company, it is not aware of any case where production operations were influenced or a plant failed. The virus has been removed in all cases known to Siemens.

However, to be on the safe side, Siemens has isolated the Trojan on a test system to investigate it more closely. Tests have shown that the Trojan does not appear to be the random work of one hacker, but rather was developed by a team of experts. It is suspected that the team includes IT experts with engineering knowledge of industrial controls.

According to Siemens, the threat to industrial systems will remain uncertain until investigations into the Trojan are complete. Siemens does not yet have any leads on the origin of the malware, but analyses are ongoing. For this reason, the company stresses the importance of securing IT systems and computers against virus attacks using the latest virus scanners and installing the most recent O/S patches.