Siemens' malware could disrupt whole power grids globally
July 23, 2010
Late yesterday, Siemens said it has concocted a program it is making available for detecting and disinfecting malware and viruses attacking its complex power-grid management software.
Siemens' software also controls critical oil & gas refineries and manufacturing plants. The German enginerring firm warns that customers who use the infected software could have the devastating effect of disrupting whole power grids in the U.S., Canada, South America, Europe and Asia.
Siemens began distributing SysClean, a malware and virus scanner made by Trend Micro. It has been updated to remove StuxNet, a worm that spreads by exploiting two separate security flaws in Siemens's SCADA (supervisory control and data acquisition) software and every supported version of Microsoft Windows.
“As each plant is individually configured in a very unique method, we cannot rule out the possibility that removing the malware may affect your plant in any way," the Siemens advisory said.
The company also advised customers to keep the scanner updated at all times because “there are already some new derivative versions of the original virus around, and we are trying our best to mitigate these and other security issues.”
Recently, Siemens has come under blistering criticism for not removing the security vulnerability two years ago, when, according to Wired.com, the default password threat first came to light.
So far, StuxNet has infected the engineering environment of at least one unidentified Siemens customer, and has since been eliminated, Siemens said.
The company added that there are no known infections of production plants to this day, but warns that there's always the possibility that some could be discovered in the near future.
The worm spreads whenever a system running Siemens's SCADA software is attached to an infected USB stick. The attacks use a recently documented vulnerability in the Windows shortcut feature to take control of customer's personal computers in the workplace. Once there, the worm takes advantage of default passwords in WinCC, the security-prone, problematic SCADA software provided by Siemens.
Late yesterday, Siemens said it has updated WinCC to fix the security vulnerability. For its part, Microsoft has issued a stop-gap fix but hasn't said yet if and when it plans to patch the the Windows security flaw.
Chris Wysopal, CTO of application security tools firm Veracode says “Siemens has put their own customers at risk with this egregious vulnerability in their software. Worse, is all the many customers from around the world who purchased the software not knowing of any of its many security risks."
"Software customers that are operating SCADA systems on critical infrastructure such as power grids, oil and gas refineries or their factories with the WinCC software had a duty to their customers to not purchase this troublesome software without proper security testing. It is obvious now that no security tests were ever performed on SCADA before putting it in place in the field-- not by Siemens itself and not by the customer. This is totally unacceptable,” added Wysopal.
You can link to the Internet Security web site as much as you like.