Virus attacks industrial control systems

Siemens launches damage control program for systems targeted by Trojan, including remedial and defensive measures for users. So far, actual damage is minimal. Update: Virus detection/removal tool now available.

July 21, 2010

Siemens has been continuing damage control efforts for users of its WinCC and PCS7 control platforms. The company received notification of the virus on July 14, and began efforts with Microsoft to prevent and minimize damage to users. Siemens reports:

The Trojan/virus is spread via a USB stick, using a security breach in Microsoft Windows. The virus, which affects operating systems from XP upward, detects Siemens WinCC and PCS7 programs and their data.

Siemens has now established through its own tests that the software is capable of sending both process and production data via the Internet connection it tries to establish. However, tests have revealed that this connection is not completed because the communication partners/target servers are apparently inactive. As part of the ongoing analysis, Siemens is checking to see whether the virus is able to send or delete plant data, or change system files. 

We are informing our customers and investigating how many systems could be affected. Currently, there is only one known case in Germany of infection which did not result in any damage. We do not have any indication that WinCC users in other countries have been affected. 

Analysis so far says that the only platforms that may be affected are those where access to data or the operating system is possible via a USB interface. If your security policies prevent extraneous connections, that is the best defense. There are also additional protective devices like firewalls and virus scanners that can also prevent Trojans and viruses from infiltrating the plant. 

Siemens is developing specific solution steps:

• Microsoft will be offering an update (patch) that will close the security breach at the USB interface;
• Suppliers of virus scanning programs have prepared up-to-date virus signatures that are currently being tested by Siemens. The virus scanners will be able to help detect and eliminate the virus;
• Siemens’ software tool is now available for downloading. It is able to detect and remove the virus; and
• Siemens will be providing a Simatic security update with all the necessary function.

For the moment, users should not use any USB sticks (thumb drives, flash drives, etc.) and install the updates as soon as they become available.

Read more about appropriate cyber security defensive measures.

Peter Welander, pwelander@cfemedia.com 
Control Engineering