New Windows Virus Targeted at Industrial Controls

I just sent the head of IT an email stating that although we don't use siemens products that this virus can infect some other systems if it were to have variants written to target other PLCs and/or automation devices.

I also mentioned that we have windows NT and windows 2000 running on some systems that are vulnerable to stuxnet and its variants and there are no patches available for these OS's.

I had asked if it would be wise to change user rights on these machine "users" and/or put them on their own subnet to keep them less vulnerable.

The short answer I got is that we have tape backup for our fileserver, and that we don't want to have automation systems on their own subnet right now.

I am quite concerned with this, but again, I am not a network or security expert as I've mentioned previously. It does smell funny to me and I'm not sure what to do about it. Our machines are, for most purposes, mission critical and we can lose serious money if they go down for extended periods.

How does an automation guy who is computer saavy but not a security expert deal with IT on these issues. I really want to work together on tightening security.

~KEJR
 
In reply to Rahul P Sharma: I would suspect that the sort of person that you are talking about is exactly the sort of person who is (unknowingly) spreading the virus in India. All he has to do is visit one customer who has the virus, pick it up on his laptop, and he will end up spreading it to every plant that he visits.

You may wish to contact Siemens and discuss your concerns with them. You may be able to work out a procedure to at least reduce the risks. The same problem applies to independent integrators and machine builders by the way. They are in exactly the same situation of visiting multiple sites and being exposed to the virus.
 
In reply to KenE: What I would do in your shoes is to bring the issue of security up via the engineering and production management channels. I would keep it at the level of "showing general concern" and not point any fingers at anyone. Put it in writing in e-mails however that there are viruses going around right now which are intended to shut down production lines and possibly cause damage, and this isn't just a hypothetical situation anymore.

To automation professionals, this is a serious concern. To an IT manager, it's just another virus. IT people have been living with them for years and don't worry about them much anymore. And if a virus knocks out the e-mail system for a few days, people are inconvenienced but the company doesn't suffer that much.

If a virus knocks out the plant however, that comes right out of the company's bottom line. In that situation though, the IT manager knows he isn't going to be the first one in line for blame, because the production equipment really isn't his department.

As for what you can do, well the first thing is to get people to agree that something should be done. The IT manager should be in a position where he is offering advice on how to solve it, but it's the engineering and production managers who should be deciding whether anything should be done. You might be using PCs in the plant, but they are production assets, not IT assets.
 
Reply to M Griffin: I have a few general impressions, a somewhat different take, from reading Symantec's W32.Stuxnet dossier.

1) The virus's authors went to great lengths in researching a small subset of automation platforms that have to be working together and developed the virus to hit that type of target: WinCC AND specific Siemens controllers AND Profibus. The virus might be present but ineffective without this combination.

2) Even if the conditions above are satisfied, knowledge of the target network's topology are still required to get the virus to fully propagate and be effective.

3) If the virus's target was a small number of industrial systems in Iran (the Bushehr nuclear power plant has been reported as a likely primary target) it was, as the kids say, 'an epic fail'. The virus was detected and it propagated way outside its target domain, setting off the burglar alarm for everyone to hear.

Security on industrial networks is important and there is a valid argument for beefing it up. But here's what will happen in the wake of Stuxnet virus: the operating funds in the budgets of industrial facilities will be directed toward security and away from maintenance and core development. Just like after 911 in the US: an expensive wizz-bang, ultra-encrypted IP camera will be pointed at a broken motor operated valve, just to make sure no one sneaks up to it with a wrench to fix it.
 
C

curt wuollet

Yes, these posts about lack of concern or complete ignorance point out that the current situation is bad, and what is most likely to happen, (very little) isn't going to improve it. That's why we need inherently more secure configurations from the get-go, so they are reasonably secure without depending on what _should_ happen.

Regards
cww
 
In reply to curt wuollet: That idea (the Microsoft certificate) won't work for the simple reason that they are essentially asking the computer "do you have a virus"? A virus of course would simply answer "no, everything's fine here". The idea has been floated before, and it was pretty conclusively shown to be full of holes.

Microsoft already uses digitally signed certificates for drivers and several other purposes in an attempt to solve the virus problem. The particular virus we are talking about just used genuine certificates from two different sources to masquerade as legitimate software. While PKI is useful for some things, it isn't the security panacea that Microsoft was hoping for when they started using it. In fact, it's turned out to be a bit of a farce.
 
D

David Ferguson

For one thing, how can you say that this is the opinion of Microsoft any more than you are speaking for the entire control community on this site. Second the lack of people who are locking down their MS machines is no different than the Mechanic who screws up your car by not knowing his job.

The fact is the ART of control systems engineering is a conglomeration of many skill sets and no college out there or vocational school teaches it. You have to be an expert in multiple skillsets equally. Lets say there are 10 skillsets (arguable) they may include, Electrical skills, Instrumentation skills, computer skills, programming skills, mechanical knowledge skills, business skills, process skills, NETWORK SECURITY SKILLS, craftsman skills, maintenance skills, etc.

No one coming out of US colleges today is qualified to do this job any more. I laugh at the people who hold their nose high and say that "He is an EE so he is more qualified than that guy who went to votech". Bullsh*t, it is a conglomerate of 10-15 skillsets and to be good you need them all.,......I personally know like 4-5 guys who really have this skillset and they are very very rare and in great demand.

The fact that the web surfing set who can barely find their e-mail is setting up your control system is just a sign of how DUMB they are and we are for letting our systems get set up this way.

My personal opinion is that if you set your systems up this way. you DESERVE to get hacked. read that again YOU DESERVE TO GET HACKED. Evolution has a way of taking care of this sort of thing.......

Quit blaming the misuse of a tool for being the problem and lets start addressing the real issue which is the lack of people out there mentoring up the next generation to "get it". I take great personal pride in having had a number of Interns who are now out there in society and are very , very good at the skills needed to do things right. And they all came in with one degree or another and quickly were taught that they knew little or nothing of this SKILL / CRAFT/ TRADE?PROFESSION.

Quit blaming the tools and start fixing the users..........we are getting nowhere with this kind of babble.....

Dave Ferguson
Tool User
 
C

curt wuollet

Well, maybe they should do it. I can't think of anything that would expand the Linux ranks faster than if the average Windows user got kicked off the web a couple times...Well, it might take a dozen times or so, they never blame Microsoft for Windows problems. I agree that it is a bit naive coming from a high ranking researcher at MS. Makes you suspect his credibility. But, I'm sure there's money in it, maybe you get to pay them to be allowed back on the net?

Regards
cww
 
There are two previous Control.com discussions that are relevant to this topic. I thought I would point them out to everyone so anyone interested can go back and review them.

The first was "Alleged Internet Attacks on SCADA Systems".
http://www.control.com/thread/1026243185
This was a discussion about news reports that the American CIA was warning electric utilities in the US that someone was attacking or was about to to attack power plant SCADA systems, and they wanted American utilities to take precautions. This seems strangely prescient given current news.

The other was "Computer Virus in Electric Utility in Australia".
http://www.control.com/thread/1255317497
This wasn't a virus which was targeted at control systems. It was a conventional virus which was affecting the control systems indirectly by causing problems for the MS Windows workstations.

As well as the usual opinions, the discussions contain links to relevant news stories. It's good background for anyone who is interested in this subject.
 
In reply to David Ferguson: I think we can take an official corporate post on an official corporate web site by a "Corporate Vice President" (that's his job title) acting in his official capacity as speaking on behalf of his company.

Here's the two points from the web site which I suspect that Mr. Wuollet particularly finds objectionable (or perhaps risible):

"Voluntary behavior and market forces are the preferred means to drive action but if those means fail, then governments should ensure these concepts are advanced."

and also:

(Microsoft) "will also advocate for legislation and policies worldwide that help advance" (the proposals).

Yes, that is an official statement by a Microsoft vice president saying that they intend to lobby for laws to be passed ensuring you keep your Windows patches up to date and have anti-virus installed.

And to repeat, I think it's a stupid idea and it has no hope of achieving its stated objectives. In addition, it would certainly do nothing to have prevented the situation related to the virus we are discussing here.
 
D

David Ferguson

Michael:

From his Blog post "In my speech today at the International Security Solutions Europe (ISSE) Conference in Berlin, Germany, I PROPOSE ONE{POSSIBLE approach to addressing botnets and other malware impacting consumer machines."

This has nothing to do with security, there is a move afoot by all of the big players, including MS, Comcast and Murdock, the RAA and Intel and others to enforce "net neutrality" and this scare is just another way to get to a different means. ATT already implemented a piece with bandwidth metering, tiered access metering. They want to control access to the pipes and be able to turn on and off people for a number of reasons. There is also movement by RAA to shut off your access after downloading ilegal movies and music forever without trial, so if someone highjacks your wifi (because you did not secure it, Linux based) and botnets you for music downloads etc. shut you off. Sort of like, if you want to go to war for Iraqs oil or to avenge your dad's name or because you own shares in a certain cleanup company, divert their attention and go in after the nukes that do not exist or after OSBAMA. Or cheat on your e-mails about global warming reports to implement carbon credits by scaring the public (still to come, notice they have backed off). Well by "scaring" us into the fear of cyber terror, we can take back control of this damn media thing run amok........ie China and Google..............there is more going on here than meets the eye...........focus on the ball, my point is this is diversive tactics.

Agreed, it has NOTHING TO DO WITH THE ISSUE ...................... the reason this stuff gets opened up to the lowest denominator is that you have non professionals using computers and in order for them to use them and not bug the rest of us, they have been DUMMIFIED so they can get their e-mail and play Zinga games. When your OS runs from these people to controlling your corporation and plant it gets slightly harder to find the middle ground. When Linux is preconfiged by the gurus to lock down the machine and my mom cannot get to play farmville, they start whining and someone posts a hole to get through, then someone writes a way to infect them. When the guy who should not be programming your control system is blocked, same thing. These same people will demand that the vendors DUMMIFY them also in Linux and we will be right back in the same boat.

Be a professional and lock your machines down and learn the IT portion of YOUR JOB. I do not agree with legislation to lock them down (WE AGREE, less government). But I also do not agree that some other OS will solve our problems.

Curt is quite capable of explaining his view......trust me we all already know that Michael.

PS: Intel just paid $xx Billion (yes billion) for McAfee....................we better get new chipsets also, because why would you pay billions for something that does like $2m a month........................

Dave Ferguson
Control Systems Engineer
 
Dear All

Well,What about other PLC's....Is this virus will attack only PLC's or even Motion controllers??... Is this virus can attack Baldor controller's...In my plant all the machines are running on Baldor Motion controller and drives.....and the software used is Mint workbenchV5.5.....Please do let me know so that I can take some action...

With thanks and regards
Edwin
 
In reply to Edwin: This particular version of this particular virus does two things. One, is it installs a more or less conventional virus in a computer running MS Windows (and it hooks itself into any copies of Siemens Step-7 and WinCC which maybe present). The other thing it does is that when an infected computer connects to a Siemens S7 PLC, it modifies the program in that PLC.

So, what you have is basically two problems. One is a more or less conventional virus problem that affects everyone who uses MS Windows. The majority of reported virus infections are on PCs that don't have any Siemens software installed. It is also important to note that not all the holes in MS Windows that this virus exploits have been plugged yet.

The other problem is that if you are using Siemens PLCs, the virus may have modified your PLC programs via an infected PC.

So far there have been no reports of any versions of this virus that attack Baldor drives. However, if someone wished to write one, they could certainly do so using similar techniques.
 
C

curt wuollet

What irritates me it that MS skates and shirks all responsibility while everyone and everything else in the world is left holding the bag and making all the gyrations and hassle and expense to clean up their mess so they can continue leaving security holes open to make their floobydust features work. For example, yes, autorun is kewl, but executing any old binary someone puts in the slot is just plain stupid. Especially when it execs in the space of a privileged user because they don't want to make logins too hard and separate accounts by default. And they can't possibly deny that it's a problem, so they simply declare that it's your problem. And it really irritates me that everybody just bends over and lets them do it. That's what irritates me about that particular article. That and they can bend heaven and earth to avoid _their_ having to do anything serious about it. They sell on the basis that any idiot can run it, but blame them when they do, without having a security expert close all the intentional holes. And somehow that is perfectly acceptable. Your problem.

Regards
cww
 
D

David Ferguson

and as I have said over and over......when Linux is in the hands of the anyone can do it set, the software (in order to be accepted) will be opened up or people will abandon it (right or wrong). When they cannot just start it and run, they will go away.

Now I will give you that something "free" is a lot harder to complain or quit on as you have nothing invested. But as you invest time (our most precious commodity), you quit when you use too much. But what is the difference between your pre-configured CD load and my knowledgeable MS configured HMI config "locked down".

I heard on a podcast the other day that the Internet is dead......I laughed and then listened, they said the future is in apps....again I laughed....then I watched my wife who hates computers interoperate with her ipod and she just wants the finger tap that does what SHE wants. She does not care that it is at WWW dot whatever or how the underlying structure works, it just does.

I am in the paper business, magazines and catalog paper.....I completely realize watching her who reads 5 papers on the web via apps that I am history.....luckily I am not in the paper business, but the automation business and do not care what it is I automate.

I also have a house that was full of college students and constantly watched how they work and communicate............they operate in a compartmentalized world and basically function through apps and any kind of underlying knowledge and having to type addresses etc stinks to them.

What’s my point, my point is that such things are what we are getting to , less and less knowledge of the underlying technology nor caring what it is and eventually it will all go away. This has always been the case and the end user of my stuff just uses the "HMI App" whatever piece of equipment it controls. The responsibility to keep that underlying technology "safe" lies with me the user of that technology.

Problem is a lot of those doing controls do not take that part of their job serious because they come from this app mentality and do not see the importance and when it fails they blame their users....just like you accuse MS of.

Now MS has had to open things up to the lowest denominator because that is what customers demanded. Apple and the iPhone, iPod, iPad have introduced a new model which APPLE controls (as much as they can)....they approve apps and make sure that these issues cannot happen (yet). But as it gets bigger and bigger it is harder and harder to control. I personally think MS is in trouble because the cheese moved to a new model and they have not adapted, but I do not think the new model is a PC or a server running an OS (as far as the end user is concerned) it is to compartmentalized apps that are approved by someone who does know what is important to protect the end users..........

I think putting Linux as a replacement for MS is like me introducing a new type of paper for magazines and catalogs to be printed on ........it is not realizing the media is not the issue, it is the delivery system that is changing. Newspapers have been slow to realize this and therefore have lost 30% of their business this year. As I said I am in the "Solutions business" (personally), not the automation or paper business. My company is in the advertising business......although they may think they are in the paper business.....

Lots of babbling and probably lost my point......but I feel better.....

Thanks Curt

Dave Ferguson
Technology User
 
C
> and as I have said over and over......when Linux is in the hands of the anyone can do it set, the software (in order to be accepted) will be opened up or people will abandon it (right or wrong). When they cannot just start it and run, they will go away. <
Yes, but saying it over and over again doesn't make it true. Linux _is_ in the hands of whoever wants it, with comparable ease of installation and it is, by default, more secure. At the very least, it won't exec random crap you stick in the drives. Or 99.99% of the existing viruses, etc.

> Now I will give you that something "free" is a lot harder to complain or quit on as you have nothing invested. But as you invest time (our most precious commodity), you quit when you use too much. But what is the difference between your pre-configured CD load and my knowledgeable MS configured HMI config "locked down". <

About $500. Counting the precious time you spend locking it down and the time you waste with antivirus scans and updates and all the other malarkey that goes with running Windows, probably _much_ more. That is a particularly unfavorable point to argue as the lost time protecting and putzing with Windows costs business billions. And I'm sure it's even worse on the ISV side, adding the churn. I've used both extensively, and I can assure you that I waste a lot more time with Windows than Linux. Even the most shallow analysis will prove that. And that's with "consumer" distributions.

> I heard on a podcast the other day that the Internet is dead......I laughed and then listened, they said the future is in apps....again I laughed....then I watched my wife who hates computers interoperate with her ipod and she just wants the finger tap that does what SHE wants. She does not care that it is at WWW dot whatever or how the underlying structure works, it just does. <

Exactly, a setup that boots to the application and simply does the task at hand would save vast amounts of screwing around. And like your wife, whatever is behind that really fades in importance.

> I also have a house that was full of college students and constantly watched how they work and communicate............they operate in a compartmentalized world and basically function through apps and any kind of underlying knowledge and having to type addresses etc stinks to them. <

Yes, we are approaching computers as appliances.

> What’s my point, my point is that such things are what we are getting to , less and less knowledge of the underlying technology nor caring what it is and eventually it will all go away. This has always been the case and the end user of my stuff just uses the "HMI App" whatever piece of equipment it controls. The responsibility to keep that underlying technology "safe" lies with me the user of that technology. <

Exactly, that's why an OS that can be configured to provide only the needed services makes much more sense than one that stresses the platform over the application.

> Problem is a lot of those doing controls do not take that part of their job serious because they come from this app mentality and do not see the importance and when it fails they blame their users....just like you accuse MS of. <

Exactly why shipping the application with a secured OS as one unit would be a tremendous advantage over simply "Install this on your Windows PC" which may already contain a full load of virii, malware, might even be part of a botnet or owned by a hacker.

> Now MS has had to open things up to the lowest denominator because that is what customers demanded. Apple and the iPhone, iPod, iPad have introduced a new model which APPLE controls (as much as they can)....they approve apps and make sure that these issues cannot happen (yet). But as it gets bigger and bigger it is harder and harder to control. I personally think MS is in trouble because the cheese moved to a new model and they have not adapted, but I do not think the new model is a PC or a server running an OS (as far as the end user is concerned) it is to compartmentalized apps that are approved by someone who does know what is important to protect the end users.......... <

Yep, and what OS supports that model now? And more importantly, can let you, as the content provider support that model? Android is an example. Many providers.

> I think putting Linux as a replacement for MS is like me introducing a new type of paper for magazines and catalogs to be printed on ........it is not realizing the media is not the issue, it is the delivery system that is changing. Newspapers have been slow to realize this and therefore have lost 30% of their business this year. As I said I am in the "Solutions business" (personally), not the automation or paper business. My company is in the advertising business......although they may think they are in the paper business.....<

That's a silly analogy seeing how, at the moment Linux is beating the snot out of Windows in that exact market and we're only seeing the tip of the iceberg. But more important is, why? It's because of all the things I have been pointing out. It can be tailored into Android and the amazing array of embedded gadgets because of it's modularity, ease in porting to new hardware and suitability for the "post PC" class of applications as well as all the other sizes and classes of platform needed by automation. You could say that the success is vindication of my point of view. But it didn't need vindication, it's obvious from watching the market. And it doesn't take Columbo to figure out that using one OS on all the platforms in your vertical is going to be a lot cheaper and easier than managing five penguins and a whale. Even if the whale is really kewl.

> Lots of babbling and probably lost my point......but I feel better..... <

I'm glad you feel better, change is going to come, I'd just like it to be sooner rather than later. But, for example, PACs are already powerful enough to host their own programming environment, if it isn't Windows. Someone's going to figure that out soon. Look at a PLC, then look at a cell phone, the opportunity for convergence is hard to miss. That's why when I designed a PLC, I left the processor slot open to change.

Regards
cww
 
D

David Ferguson

I give up Curt......you win ......and yet for over 10 years.......you haven't.

Here I will reply for you

But Dave, I am not about winning or losing only trying to make this a better world.

Dave Ferguson
 
C
I think it really a worthwhile discussion at this inflection point where security shortcomings are just popping up on the (1950's Bendix) automation radar. I really appreciate the comments of our real live Windows programmer as they make real the lock-in that the leaders would face if they dared change their relationship with MS. It would be close to a declaration of war. This brings up the likelihood that the change may come not from the leaders but by replacement, someone who isn't in bed with MS and doesn't have a huge legacy and can use the efficiencies of a more suitable platform to carve out a place with features and pricing. Maybe someone who wants to be positioned for the smart power transmission and general infrastructure replacement market on the horizon. Maybe a well known name that wants to get back in the market, or someone who holds a mediocre market share and would like a change in the status quo. Lots of household names could do something like this and have a good chance of pulling it off.

Regards
cww
 
In reply to David Ferguson:

I agree with a lot of what you said. I am a user of windows and linux and not one of these systems is the utmost secure in the hands of any old user. Why? Because the system can be altered on either Windows, or Linux. The user can let down their guard at will.

I do believe Microsoft is to blame for the shell "shortcut" bug and many other subtleties. I think we can all agree that Microsoft puts their marketing before security, which is disapointing. Having Grandma run as Administrator is asking for it. On a personal note my wife thinks I'm a control freak for not giving her account administrator rights on our windows machine even though I explained both her and I were set up as "regular" users and the administrator account is just for that, Administration. (Hey wait, I guess I am a control(s) freak being on this site...)

I just received a couple of proprietary automation CPUs running Linux and it was shipped with a default root password from the vendor. Sure, I'm going to change it, but do you think a majority of users will? Probably not. So is this linux system more secure than windows, or less? (as a side note this system does have a filesystem mounted read only, but that can be changed with a remount as root, so no real security there).

KEJR
 
Top