Observations about the Siemens PLC vulnerability

July 18, 2010

Thursday July 15 a disclosure was made about the Siemens SIMATIC PLC WINCC cyber vulnerability. Arguably, it is the first malware in the wild targeted specifically at industrial control systems. The following issues concern me:
- Siemens SIMATIC PLCs are used throughout the industrial (more than just critical) and DOD infrastructures globally.
- According to Stephan Brier, every SIMATIC user has the privileges of the fixed sysadmin server role by default and the MSSQLServer is installed with SYSTEM privileges - so much for security by design.

Thursday July 15 a disclosure was made about the Siemens SIMATIC PLC WINCC cyber vulnerability. Arguably, it is the first malware in the wild targeted specifically at industrial control systems. The following issues concern me:
- Siemens SIMATIC PLCs are used throughout the industrial (more than just critical) and DOD infrastructures globally.
- According to Stephan Brier, every SIMATIC user has the privileges of the fixed sysadmin server role by default and the MSSQLServer is installed with SYSTEM privileges - so much for security by design.
- The drivers were digitally signed using the digital signature of a large and well-known semiconductor manufacturer. 
- The vulnerability spreads via USB drives and runs automatically when a shortcut icon is displayed on a user's screen.
- Within about 15 minutes of the notice being posted on Ron Southworth’s SCADA listserve and Bob Radvanovsky’s SCADA listserve, each was hit with a DOS. Coincidence?
- As of Sunday July 18, there has been no emergency phone call from NERC CIPC on this vulnerability. Why?

As best as I can tell, this is not an attack, but a vulnerability disclosure. US CERT is treating this as a Microsoft problem (not a control system problem and is not shown on the US CERT Control Systems website) and Microsoft is treating this as a user privileges problem. With the lack of adequate control system cyber forensics, it can be close to impossible to find this vulnerability. This should certainly be a call to arms, but is it?
Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Why should American-Made Products be a top priority?

Within this white paper, Shalabh “Shalli” Kumar, founder of AVG Advanced Technologies, stresses the importance of prioritizing American-made products to safeguard the country'...