This post is also available in: Slovenian
A new virus attacks Siemens SCADA systems in order to access production data and cotrol.
Currently most topical virus Stuxnet worm is exploiting the latest security threat to Microsoft systems – vulnerability of .lnk (shortcuts) files to remotely run any code on the infected computer. The latest worm variant is an intencional attack on a Siemens SCADA systems, aims to transfer data to an external web site and to gain the control over technological processes over SCADA system.
First malicious code for SCADA
This is the first malicious code for Siemens SCADA systems (wincc). Siemens recommends in case of infection not to change default password as this may cause even greater problems. Default password publicly known for control souch a serious tehcnological processes? What do you think Siemens, your untouchable in internet age?
Microsoft offered upgrade a week earlier than in a usually montly upgrade packet beacuse of the high risk of vulnerability 10-046 (shortcuts problem).
The worm allows remote start of any code exploiting 10-046 vulnerability of windows systems. The malicious code represent something new. First, the code is certified by valid certificate owned by world famous companies (Realtek Semiconductor and JMicron Technology). Before that, we just look who wrote the code and if it was owned by known company and/or certified it was ok. Now every code is suspicious. The valid certificates was probably stolen or purchased from a company employees from Realtek Semiconductor and JMicron Technology, who are based in Taiwan.
What is SCADA system?
For those who do not know what a SCADA (Supervisory Control and Data Acquistion) is, it’s a system to control technological processes in every production nowdays. Some examples of SCADA systems: managing and control water distribution, give production informations, alerts about errors and malfunctions. Because of theire stable working, most controllers are from Siemens.
The computers, used in the technological processes are often embedded in machines, so it does not look like personal computers to employees, are usually forgotten in terms of providing adequate protection.
I know for example an enterprise with good IT protection, but leaves one server unprotected running windows 2000 sp1 with no latest patches and old SCADA system for control and management one of theirs technological process. They not bother to upgrade a very old version with newer SCADA software since this is not cheap, but the system does not work on newer windows OS and they only needed it for one more year. What if Stuxnet worm came on the server and send production data to wrong hands or even worse, take control over technological process? It can make bigger damage than buying newer SCADA system.
Of course, the server can be protected and still having old operating system Microsoft is no longer supported. First of all, they must disable access to the internet from the server, which disables the ability to send data out, second, disable the use of media such as USB, CD an third, have very limited network shared folders. Just disabling autorun on a USB key is no more effective protection against latest worms. For Stuxnet worm antivirus companies already offering special tools to remove this worm and they are give more attention for shortcut vulnerability in antivirus programs from now on.
How secure is your SCADA system?