Observations about the Siemens PLC vulnerability - update

July 19, 2010

After having the weekend to think about the disclosure and reading a number of the articles about the vulnerability, there are several big picture items that need to be addressed. To date, researchers have found that the virus collects information and sends it elsewhere (industrial espionage). However, researchers have not identified all of the payload capabilities, including whether or not it can compromise data or affect controller operation.

After having the weekend to think about the disclosure and reading a number of the articles about the vulnerability, there are several big picture items that need to be addressed. To date, researchers have found that the virus collects information and sends it elsewhere (industrial espionage). However, researchers have not identified all of the payload capabilities, including whether or not it can compromise data or affect controller operation.

Big Picture Issues
- Use of digital signatures: To get around Windows systems that require digital signatures—a common practice in control system environments, the virus uses a digital signature assigned to semiconductor maker Realtek. This key signature is not valid. This has significant ramifications for key management for Smart Grid, DNP, etc. 
- Applicability: The virus was “tailored” to the Siemens SIMATIC PLC WINCC environment. However, as Eric Byers mentions in his white paper, “…Furthermore, any Windows systems can be infected by this malware, regardless of whether or not Siemens software is present.”
This begs the question of whether other ICS HMI (Human Machine Interface) vendors have examined their systems to determine if this virus can impact their systems. This problem may be analogous to the GE XA21 SCADA latching problem that affected the 2003 Northeast Outage. How many other SCADA vendors had similar hidden software flaws?
- Applicable testing: The NERC CIPs and NRC Regulatory Guide 5-71 have testing requirements. However, those testing requirements may be inadequate for this virus. 
- Lack of adequate ICS cyber forensics: What should an end user look for? Intrusion Detection Systems (IDs) are not meant to address USBs.
- Disclosure process: US CERT is treating this as a Microsoft problem rather than a control system problem. The US CERT site has this identified as “Microsoft Windows LNK Vulnerability,” with no mention of Siemens or control systems. It identifies the Microsoft Security Advisory 2286198 where Microsoft is treating this as a user privileges problem. Siemens is not identified in the Microsoft Advisory. As of July 19, this vulnerability is not shown on the US CERT Control Systems website. 
- Workarounds: Workarounds can have serious side effects. Disabling the displaying of icons for shortcuts will prevent shortcut files and Internet Explorer shortcuts from having an icon displayed. This can have unacceptable impacts for the end user. Disabling the Web Client service will prevent Web Distributed Authoring and Versioning (WebDAV) requests from being transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer. This can also have unacceptable impacts for the enduser. Any SNMP connection can be a vector in. However, ICSs need these connections. Patching can be a problem as many ICSs cannot be patched for significant periods of time.
- Need for secure ICSs by design: Windows has too many insecure applications that are simply not needed for ICS applications. For example, why have a DHCP client when ICSs have static IP addresses? ICS workstations should not have applications such as Instant Messenger (IM), email, etc, or Explorer. Consequently, there is a need for a “skinny” version of Windows with only those applications that are needed and with software updates that do not require rebooting the system. Additionally, many control system vendors continue to have “back doors” in order to support their customers. Seimens SIMATIC approach of providing user with sysadmin privileges by default and the MSSQLServer installed with SYSTEM privileges is not unusual. Neither is the practice of hardcoding default passwords into firmware.

I see two major areas that need to get fixed soon. The ICS community really didn’t think the hacking world was taking this seriously. They are! The ICS community needs to take securing these systems seriously. Secondly, the ICS community needs to be in the loop on disclosures. The US CERT approach given above is broken and needs to be fixed ASAP.

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...