“I would rather lose money than trust”

September 23, 2011, marks the 150th birthday of Robert Bosch. “I would rather lose money than trust” is one of his best known sayings. Values such as credibility, reliability, and legality formed the basis of his entrepreneurial action – and have lost none of their validity for the company he founded. They are the compass for the Bosch Group’s innovative strength, quality standards, international orientation, and corporate social responsibility. In combination with these, they form the basis for ensuring the company’s lasting business success, as well as its ability to meet the challenges of the future, just as Robert Bosch would have wanted. Apart from the 150th anniversary of the birth of its founder, Robert Bosch GmbH is celebrating its 125th anniversary this year.

Turning a workshop into an international industrial enterprise

Robert Bosch was born on September 23, 1861, in Albeck near Ulm in southern Germany. Following an apprenticeship as a precision mechanic, and after having worked for several companies outside Germany, he opened his “Workshop for Precision Mechanics and Electrical Engineering” in Stuttgart on November 15, 1886. Referring to these early years, he once said: “My business, which was originally very small, gradually began to develop more swiftly after long and painstaking efforts.” Even then, this success was due to his innovative drive and high quality standards. The construction of a low-voltage magneto ignition device for vehicle engines in 1897 was the start of a long list of Bosch innovations. But It was its successor system, the high-voltage magneto ignition system launched by Bosch in 1902, that was the decisive commercial breakthrough for the young company. Under the guidance of Robert Bosch, the company developed a whole series of technical and technological innovations that made people’s everyday life and work significantly safer, more comfortable and more efficient. Examples include windshield wipers, the diesel injection pump, and power drills and drivers.

 

Bosch founded its first agency outside Germany in 1898, in the United Kingdom. This was the start of global expansion, with new branch offices and manufacturing sites being set up around the world. The early decision to nurture the company’s global presence and transform the business into a successful worldwide development, manufacturing, and sales network was one of the most important strategic initiatives undertaken by Robert Bosch.

Responsibility and social commitment

Robert Bosch was a socially minded entrepreneur. “Employer and employee are equally dependent on the fate of their company,” he wrote in an essay dating from 1920. In 1906, when he became one of the first employers to introduce an eight-hour working day, he was once again well ahead of his time. By shortening working hours, Robert Bosch eased the burden on his workers, and at the same time increased productivity by introducing a second shift. In other words, this was an entrepreneurial decision that benefited both the company and the workforce in equal measure. Apart from making several donations for civic initiatives and charitable causes, Robert Bosch also endowed a hospital in Stuttgart, which still bears his name to this day. In addition, the occupational and further training of his associates was an issue of the utmost importance to Robert Bosch. In 1913, he set up his own apprenticeship department with a training workshop. Associate training and qualification still command an important position at Bosch to this day. In September 2011, some 1,500 young people began a career at Bosch in Germany. In 2010 alone, each associate worldwide attended an average of two training courses.

His last will – still relevant today

Robert Bosch died in Stuttgart on March 12, 1942. In his will, he set out the fundamental guidelines for his successors. The financial independence and autonomy of Robert Bosch GmbH were especially important for him, since they would secure the company’s long-term success in the future as well. After the end of the second world war, Robert Bosch’s legacy paved the way for his company’s renewed rise to a global supplier of technology and services – in 2011, it is expected that the company’s roughly 300,000 associates will generate sales of more than 50 billion euros. The company’s successful rise has been marked by technological progress and corporate social responsibility – just as the company founder would have wanted.

How secure is your Automation System architecture?

Stuxnet has given us a wakeup call and we now need to take a fresh approach to how data is transferred and managed within all industrial control systems,” says Chris Evans of Mitsubishi Electric.

Last year’s incident involving the Stuxnet malware has shown that a typical automation architecture has weak points and vulnerabilities when it comes to security and this is leading many companies to question the traditional methods used to move information around and from the plant/asset to the enterprise level. While Stuxnet was targeted at one particular plant, it has far wider implications.

The stuxnet virus changed the point of attack in the business from the seemingly very secure top end to the somewhat vulnerable middle ground. So, are we seeing the start of a revolution?

Certainly, when business managers understand the implications of “doing nothing” then it is inevitable that changes to system architectures will follow.

Stuxnet was a malicious and targeted attack, which is very difficult to protect against.

The structure of the virus is now in the public domain, so mutations of stuxnet remain a threat and it is realistic to assume that ‘copycat’ malware will appear in the coming years targeted at a whole range of plant and applications.

However most incidents are not as sophisticated as Stuxnet, but they can still have wide ranging consequences for the businesses under attack.

There are two fundamental factors to consider, “probability” and “risk” and it is the analysis of these two elements which should shape any organisation’s security strategy going forward.

It is generally accepted that “gateway PCs” found in many automation architectures, represent weak points and are vulnerable to potential malware attacks from “the outside” and also from CDs and USB sticks.

Many of these PCs are used as networked workstations and therefore often contain the software to change and program the PLCs beneath this layer. This makes them an attractive target for anyone wishing to disrupt operations. Couple to this is the fact that many of these PCs have in the past been poorly maintained in terms of security patches and often contain unsupported legacy versions of operating systems, raising the risk factor considerably.

These gateway PCs were originally included to provide visualisation/control (SCADA etc), data/alarm logging and the link between the plant/asset and the enterprise systems. Initially PLC technology was not capable of delivering these requirements in an acceptable way, in other words, there was no alternative to this architecture.

Clearly from an operational point of view, these requirements are still fundamental delivery points for any system architecture but there are now alternatives to the traditional methods.

Mitigation or Change?

Many IT security companies can provide products and services to mitigate against attacks on PC based systems. These solutions are fine and coupled with a good business security regime can help protect the perceived weak points in any architecture.

However it is important to understand that many of the recent cyber security offerings in the automation arena have concentrated on dealing with the problem rather than exploring how to minimise the problem happening in the first place!

A New Way Forward

Over the last few years the more innovative companies have been developing technology which challenges the traditional automation architecture, so that they can offer a robust environment whilst delivering the operational requirements needed.

The basis of the new approach is to develop a solution which offers direct connection from the plant/asset to the enterprise systems within a ruggedized industrial form factor.

These systems are non PC based and are therefore not susceptible to the same operating system legacy issues that are found in a traditional PC based system.

This is complemented by the simultaneous development of intelligent solutions to provide data and alarm logging to be carried out locally at the PLC.

This technology has created the possibility of removing the gateway PC from the topology altogether. “But what about visualisation and control?” I hear you ask.

Well this is a fair question and there is no crusade here to remove SCADA/visualisation from the system but there are other ways of achieving the same criteria.

If data and alarm logging is happening directly at the PLC, then visualisation and control could be achieved by intelligent HMIs. Significantly, these HMIs do not have to be running a Windows operating system.

If SCADA PC nodes simply must exist, then moving the critical data/alarm logging to the local PLC means that the SCADA node can be the control and visualisation element of the system, whilst protecting this vital information in a more robust PLC environment. This is a simple but effective change in architecture that offers a viable alternative to traditional methods.

Mitigation techniques can then be deployed to minimise the risk with respect to the PC based SCADA or visualisation system. By using these techniques and technology the link between plant/asset and the enterprise can be achieved directly from the PLC level, thus minimising the risk.

Best of Both Worlds

It would appear that, as is often the case, the best approach to this new generation of malware threat is a multithreaded combination of a good set of mitigation techniques and “best practices” with a willingness to look at new innovative architectures to achieve the operational requirements but also reduce the inherent risk. Perhaps more than ever, good advice from acknowledged experts, an open mind, and awareness of current and potent new issues are critical.

The essential hardware

Mitsubishi’s “C Controller” range of automation solutions offers a flexible, secure, ruggedized environment that can house multiple “apps” to perform complex and challenging tasks. The C Controller forms part of the integrated iQ Platform and provides a non-PC based system that is not susceptible to the same operating system legacy issues that are found in a traditional PC based system.

The C Controller platform has enabled a whole host of solutions to be developed including a distributed secure database application and various connection options from asset to enterprise level, interfacing to SAP, Oracle, DB2 and other business systems solutions. This coupled with intelligent solutions to provide data and alarm logging to be carried out locally at the PLC, means that Mitsubishi can offer a secure, alternative architecture to traditional automation system topologies

This article was submitted by Chris Evans of Mitsubishi Electric.

Developments with UPS systems at Chloride

Last summer, ABB and Emerson had a bidding battle when both tried to buy the Chloride Group, based in the UK: the company has now become part of Emerson Network Power. Chloride supplies uninterruptible power supply (UPS) systems to major market sectors such as IT services (data centres), finance houses, telecommunications systems providers, as well as energy/oil and gas, transport and retail operations. Chloride recently launched an enhanced version of their Chloride 80-NET UPS, now available with up to 0.5MW capacity, which uses semiconductors (such as IGBTs – insulated-gate bipolar transistors, as also used on electric vehicles) to eliminate all transformers. The replacement of the typical phase shifting transformers by digital, near instantaneous control of voltage and current gives full input power factor correction (input PF>0.99), and can reduce the input current drawn by up to 20%, consequently reducing the required switchgear ratings and cable sizes, to maximize the usable power from the supply.  With the high conversion efficiency (98%) compared to traditional UPS systems at 94%, and low total harmonic distortion, the development has major commercial implications for data centres and the like.

Reduced total project costs

Lamberto Tassara, president of Chloride products and services for Emerson Network Power, said “The technology solves two major problems for data centres. Firstly, it frees them from the limited availability of grid power, and secondly it significantly cuts the capital costs and achieves high energy efficiency.”Rob Tanzer, technical support manager for Chloride AC Power explains “From the end-user perspective, 1MW worth of 98% efficient double conversion UPS will save around GBP100,000 per year in electricity bills alone. While the technologies in the actual UPS units make them more costly, a complete power protection package incorporating those technologies will be much cheaper, because since the transformerless UPS operates at near unity input power, the specifications of gensets, cabling and switchgear can be cut by around 20%, and UK Government Enhanced Capital Allowances can effectively cut up to 28% off project costs.”

Projects for the process industry

Process industry power quality requirements have tended to be less demanding than those of data centres etc, but with the growth of digital control, and high value production processes, even the Chloride 80-NET UPS technology has been applied to these industrial processes, such as refineries. Clients quoted on the Chloride website include BP, Total and EDF. Tanzer goes on to suggest that there are other technology developments in UPS systems that are suitable for process industry use. “Where incremental growth of capacity is required, or very low loads may be encountered, the technology to watch is Chloride Trinergy. It is scalable to between 200kW and 9.6MW, and the technology, introduced in the past year, is really rather special, representing something of a departure for the UPS industry. Whilst it is a double conversion UPS, it has the capacity to use its output inverter as an active harmonic filter, drawing directly from the grid but remaining connected to the batteries. If mains power deteriorates or fails, Trinergy has the capacity to provide the same protection as double conversion technologies, but with throughput losses of around 2% (based on UK mains power quality), which, because it is modular, it is able to sustain even when subjected to loads of as little as 20%.”

Entering the USA market?

Interestingly, the press release for the Chloride 80-NET UPS announces that it is launched everywhere in the world, except North America. In January 1999 Chloride acquired Oneac, which was to “provide a vital introduction into the US market for UPS and power conditioning”. This was followed by an August 2002 announcement of “an investment programme in research and development in order to access the important US power protection marketplace for 3 phase UPS”. It is likely that there will be a stronger emphasis on sorting out these products for the USA and Canada, now that the company wears an Emerson logo!

Stuxnet updates: October

Following reports that the Stuxnet code has been published on the internet, for anyone with malicious intent to copy as they desire, Norman Data Defense systems warn that it is more important than ever to review security systems in use on industrial SCADA systems. A webinar will be aired on 28th October to discuss this further.
David Robinson, UK and Ireland country manager, Norman Data Defense said: ‘It was just a matter of time before the Stuxnet code was published on the web for anyone, with even the most basic knowledge of coding, to alter and potentially wreak havoc on the industry. Now is the time to review IT security, no matter how small the risk. This is big news.’
‘This new type of virus has a boot file built-in and now that the code is in the hands of any malware writer it could mutate very quickly’ added Robinson, who will host a webinar on the subject on 28th October at 2pm BST at www.norman.com. Robinson has fifteen years experience working with companies such as Mistubishi, Rockwell and Intelluition working on SCADA and plant intelligence software.
But it’s not just memory sticks that can spread this virus. ‘These days anyone with a laptop or a device that connects remotely to a wireless network inside a company’s firewall, is putting that company at risk. It will just be a matter of time before Stuxnet or its successors are evolved to wreak havoc on control systems and any other system that the user connects to if their laptop or portable device is infected.’
Norman Data Defense recently carried out research among ordinary workers and found that over half of people surveyed are more cautious with security issues when using their own PC/laptop that they are with their work one. And over three quarters of people would expect a pop up to appear on their screen to alert them to a breach of security which of course is not always going to happen.
Microsoft has issued patches to help users on Windows systems to protect themselves against Stuxnet, but, warns Robinson: ‘My fear is that, with patch management protocols rarely in place in a control system environment, these warnings will go unheeded.’

Stuxnet news and opinions: end September

Recent background articles on Stuxnet are provided here on http://www.iainsider.com for your own review.

Stuxnet worm causes worldwide alarm: by Joseph Menn and Mary Watkins: FT (UK) 23 September.

http://www.ft.com/cms/s/0/cbf707d2-c737-11df-aeb1-00144feab49a.html

Virus Bulletin: Last-minute paper: An indepth look into Stuxnet. (Liam O’Murchu, Symantec)

http://www.virusbtn.com/conference/vb2010/abstracts/LastMinute7.xml

Kaspersky Lab provides its insights on Stuxnet worm. 24 Sept.

http://www.kaspersky.com/news?id=207576183

Langner commentary. 27 Sept

http://www.langner.com/en/

Stuxnet worm ‘targeted high value Iranian assets’. BBC 23 Sept.

http://www.bbc.co.uk/news/technology-11388018

Bruce Schneier on security. Sept 22

http://www.schneier.com/blog/archives/2010/09/the_stuxnet_wor.html

Wary of naked force, Israel eyes cyberwar on Iran. 7th July

http://www.ynetnews.com/articles/0,7340,L-3742960,00.html

Stuxnet: Targeting Iranian enrichment centrifuges in Natanz? 22 Sept.

http://frank.geekheim.de/?p=1189

Serious nuclear accident may lay behind Iranian nuke chief’s mystery resignation. 17 July

http://wikileaks.org/wiki/Serious_nuclear_accident_may_lay_behind_Iranian_nuke_chief’s_mystery_resignation

The Amazing Mr Stuxnet: Eric Byres, Sept 23.

http://www.tofinosecurity.com/blog/amazing-mr-stuxnet

Stuxnet worm hits Iranian nuclear plant staff computers. BBC 26 Sept

http://www.bbc.co.uk/news/world-middle-east-11414483

Pentagon silent on Iranian Nuke virus: Fox news 27 Sept.

http://liveshots.blogs.foxnews.com/2010/09/27/pentagon-silent-on-iranian-nuke-virus/

Stuxnet malware worse than expected!

The lead article from the INSIDER for September 2010 published this review of the situation with the Stuxnet worm. To get this information as soon as it is published, subscribe to the INSIDER, via http://www.iainsider.co.uk

After the Stuxnet worm, all industrial control systems, PLCs and RTUs with embedded systems now have to be regarded as at risk. So says Walt Sikora of Industrial Defender Inc (ID) – but then he would say that, wouldn’t he, as vice president of security solutions at Industrial Defender? However a recent webcast by Sikora presents an excellent outline of the capabilities of the Stuxnet worm as known at present, and gives a timeline presenting the events of the past two months, as evidence for his assertion that “This is a very sophisticated, very scary piece of malware.” In his webcast, first presented on 19 August, Sikora explains that the malware attacks the control system, and can insert itself into the internal communications to the PLC, being dubbed the first rootkit for a PLC device. While the Siemens PCS7 is the target in this instance, the Stuxnet worm is not the result of a bored schoolboy prankster – it is described as a sophisticated cyber-war weapon, with a payload targeted at a specific industrial control system. The conclusion is that control systems are to be the targets for future worms: despite any future fast response from Microsoft, Siemens and AV suppliers, their actions can only slam doors shut after an attack has been successful.

Stuxnet time-line

The time-line for this story started over a year ago, when apparently the Stuxnet virus was launched. It was then discovered first June 17 by a Belarus AV development company, VirusBlockAda. July 15 Frank Boldewin, a security researcher, decrypted the worm and found it targeted Siemens WinCC and PCS7 control systems. July 22 Siemens posted a tool to identify and repair systems, followed by similar actions from AV vendors. July 27 ID hosted their first panel discussion in a webcast, hosted in order to disseminate all available knowledge about the worm. Aug 2 Microsoft issued the emergency patch. While Microsoft has acted very promptly, demonstrating their commitment to support of the industrial control systems sector by issuing an emergency patch for .lnk files on the software systems that they regard as current operating systems, older systems such as Windows 2000, NT, or XP service pack 1/2, are no longer supported, and not included. Plus inevitably it will take time, resources and commitment by operators to test, approve and install this patch on even the new systems where it is needed. August 6 however, in Sikora’s words: “Symantec found that the malware itself, the payload, was worse than what we even thought…the worm itself had the capability of being controlled from a computer outside, it would allow the attacker to take control and write values to the control system itself, and that is very very scary. All automation control systems are at risk today.”

The August 6 posting on the Symantec website by Nicolas Falliere, a senior software engineer, explains that “Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.”

Beware of sleeping code blocks

Falliere continues with an unattributed example of the effects of these hidden, sleeping code blocks. He explains that by writing code to the PLC, the Stuxnet malware can potentially control or alter how the system operates. A previous historic example includes a reported case of stolen code that impacted a pipeline. Code was secretly ‘Trojanized’ to function properly, and only some time after installation, instruct the host system to increase the pipeline’s pressure beyond its capacity. This, [he asserts] resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb. Thus, in addition to cleaning up the Stuxnet malware, administrators with machines infected with Stuxnet need to audit for unexpected code in their PLC devices.  Falliere adds “We are still examining some of the code blocks to determine exactly what they do and will have more information soon on how Stuxnet impacts real-world industrial control systems.”

HIPS protection against Stuxnet

In the ID webcast Sikora continues with a demonstration of the Stuxnet, and then goes on to show that the new Industrial Defender HIPS [Host Intrusion Prevention System – see side panel] would stop the Stuxnet worm penetrating a protected system. HIPS is therefore offered as a valid method for in-depth protection of industrial control systems against such malware. This is a part of the ‘Defense in Depth’ strategy promoted by Industrial Defender. HIPS only allows good executables, from a “whitelist” of programmes allowed to run. It uses intrusion prevention and access management, and has no regular scanning issues, such as the scans used by AV software that tie up a computer or system for extended timescales. Sikora claims that HIPS would have prevented the Stuxnet worm accessing the known infected control systems.

Geographic spread of Stuxnet

Separately a white paper on the ID website gives further background, which also shows the major infection levels by the Stuxnet worm. On July 15 Kaspersky Labs in Russia, the AV vendor, reported 5000 compromised machines. By July 23 there were 45,000 infected machines reported, with main concentrations, according to Kaspersky, in India, Indonesia and Iran. The population infected in the USA is not known (as Kaspersky does not have much market penetration there, and other data is not available). Symantec data summarises that the major infections are in SE Asia, and that 48% of hits reported have been on Windows XP SP2 systems, for which there is no official Microsoft emergency patch.

Industrial Defender has also announced Compliance Manager, a security process automation and information management system that enables control system managers in the utility, chemical, oil, gas, water and transportation industries to cost-effectively implement and sustain best practices that assure system security, availability and compliance to corporate and industry security standards.

“Utilities are being overwhelmed by the amount of information, events and tasks that they need to manage as they continue to enhance their critical system security processes”, said Brian M. Ahern, president and ceo of Industrial Defender.

“Industrial Defender’s Compliance Manager automates data collection and analysis tasks that would otherwise require extensive manual operations, while providing the tools needed to improve system integrity and meet the extensive compliance auditing requirements of NERC CIP cyber security standards.”

Compliance Manager and the associated Industrial Defender sensor and collector technologies are specifically built to operate with both mission critical automation systems (e.g., SCADA, EMS/DMS, DCS/PCS) and industrial end-point devices without impacting system performance and availability. It automates the collection, retention, analysis and reporting of a comprehensive set of system and security management information. It consolidates and analyzes device inventories, event logs, system configurations, software/patch status and user accounts, as well as archives of log and configuration files for automation control applications, operating systems, firewalls, network devices and end-point industrial devices.

“Stuxnet” malware targetted at automation

This article by Andrew Bond is taken from the Industrial Automation Insider August 2010 issue

Last month’s cyber attack on Siemens SCADA systems and DCSs has reopened the question of how responsibility for ensuring the security of automation systems in general and those controlling potentially hazardous industrial processes and critical infrastructure in particular should be shared between users and vendors and, indeed, vendors’ suppliers.

Few people in the automation industry, and precious few more in the user community, can now be unaware of the bare bones of what has now become known as the ‘Stuxnet’affair. According to Siemens it was on July 14th last that the company was notified of a security breach within Windows which could potentially affect its Simatic WinCC SCADA software and the PCS7 DCS which uses WinCC as its HMI. Among the first to identify the threat was Byres Security chief technology officer Eric Byres who confirmed that what Siemens and its users were experiencing was “a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008 and Windows 7.” (see Security threat to the control system world! – this also contains links to other comments on the Stuxnet affair!)

For those, including us, who are not fully familiar with the jargon, a “zero day” exploit is one which is exploiting a hitherto unidentified security breach which only becomes apparent because of and at the same time as the original attack and leaves all other users of the same system or systems at risk until such time as the vulnerability is eliminated.

Spread by USB keys
In this case the ‘malware’, variously described as a Trojan and a worm, seems to have been spread by USB keys, although it seems possible that it could also be propagated via network shares from other computers. It exploits a previously unidentified vulnerability in the way Windows displays icons for shortcuts via .lnk files with the result that, in order to become infected, the user does not even need to open any file or run any application on the USB stick; just viewing the contents via Windows Explorer is sufficient. As a result, disabling AutoRun doesn’t provide any protection either.

Given the ‘zero day’ nature of the attack, it was hardly surprising that no patch was available from Microsoft although it is hoped that one will be prepared by the next due date, for patches to be made available in early August. In the meantime Microsoft outlined a series of ‘work arounds’ which included, not surprisingly, not installing USB keys, disabling the display of icons for shortcuts and disabling the WebClient service.

It also rapidly released a tool which would disable the vulnerability in most cases but would affect the way Windows displayed shortcut icons: and a clean-up tool which would sanitize infected systems but, it warned, might adversely affect the performance of a control system.

Targetted at automation
So far, so Windows generic. Within days if not hours of the existence of the malware, by then dubbed ‘Stuxnet’, becoming known, a number of less sophisticated lookalikes had been identified, a pattern which is apparently the norm for such attacks. However what seems to set this incident apart from the general run of malicious tomfoolery is that the malware displays an unusual degree of professionalism, incorporating a seemingly authentic but fraudulently copied certificate and, even more unusually, specifically targeting industrial automation software. As Byres explained, it “uses the Siemens default password of the MSSQL account
WinCCConnect to log into the PCS7/ WinCC database and extract process data and possibly HMI screens”
which it then attempts to export via an internet connection to a remote server. However, Siemens warned against what might have seemed the most obvious solution, changing the password, because of potential knock on effects elsewhere in a system.

Adding a sinister twist to the story, again according to Byres, is the fact that discovery of the malware coincided with “a concerted Denial of Service attack against a number of the SCADA information networks such as (the) SCADASEC and ScadaPerspective mailing lists, knocking at least one of these services off line”. That seems to suggest that those responsible had prepared sophisticated plans in advance, not only to release the malware targeting the Siemens systems, but to frustrate users’ and vendors’ attempts to counter the threat.

Control system infection
At the time of writing, Siemens claimed to have identified just one user, a site in Germany, where a control system had actually been infected. More-over, even in that case, while it attempted to export data, it was apparently unable to do so because the server to which it was sent either did not exist or was off-line.

Had the objective been actual sabotage, rather than what appears to have been industrial espionage, the consequences could have been very much more serious. Clearly, there is a shared responsibility here. Microsoft has a duty to ensure that its products are as secure as is reasonably possible and to act to eliminate vulnerabilities as soon as is practical after they have been identified. What they can’t reasonably be held responsible for is the consequences of their customers, or their customers’ customers, using those products in a manner which dramatically magnifies the consequences of such unknown vulnerabilities being discovered and exploited by malevolent third parties.

Clearly a Siemens user whose WinCC or PCS7 installation has become infected has at one level been extremely unlucky. Not only has an infected USB stick had to find its way onto the site, presumably via one of its own, a contractor’s or a vendor’s employee, but that stick has to find an unprotected USB slot on or with access to the control system. The fact that, thus far, this has only happened once suggests either that, at least initially, the number of copies ‘in the wild’ was relatively small, or that users’ basic security precautions, including locking down or eliminating USB slots, are in general reasonably effective.

Dangerous software error
Nevertheless, while Siemens enjoyed some initial sympathy for being targeted and even a degree of admiration for the speed with which they have responded, fingers are now beginning to be pointed both at them for the vulnerability of their systems and at the users themselves for adopting such systems without apparently questioning their security. Chris Wysopal, CTO of cyber security specialist Veracode, is particularly critical of Siemens’ use of a hard-coded password which, he says, comes eleventh in what he calls the industry standard ‘CWE/SANS Top 25 Most Dangerous Software Errors.’ Writing on his ZeroDay Labs Blog and alleging that Siemens was aware of the issue as much as two years ago, he asks, “Why didn’t Siemens fix the hard coded password vulnerability when it was first publicly disclosed?”

Wysopal has no doubt where the ultimate responsibility lies. “Software customers that are operating SCADA systems on critical infrastructure on their factories with the WinCC Software had a duty to their customers and shareholders to not purchase this software without proper security testing,” he says. Although the incident will once again raise the bigger issue of whether Windows is in fact a suitable vehicle for mission critical industrial and infrastructure applications, more immediately other vendors and their customers will be examining not just their systems’ susceptibility to this particular vulnerability but whether they provide a similar
‘Open Sesame’ to their applications. Software, argues Wysopal, should be subjected to independent security testing before it is deployed if users are to rely on anything more than the hope that someone else falls victim to the next piece of malware and that a patch is released before their own system is attacked. “With the sophistication shown through this multi-stage USB attack, it is clear that hope is not a viable option,” he concludes.