There is a story at the following link that a new virus appears to be targeting HMI/SCADA systems.

http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/

According to the story, it seems to be specifically targeting Siemens WinCC through a Windows security hole, although users of other software shouldn't feel smug about that, because there might be other strains affecting systems from other vendors as well. According to the story, it spreads via USB keys and fully patched versions of MS Windows 7 are vulnerable. It is likely that older versions of MS Windows are also affected (the story doesn't go into that however). This is *not* the familiar "auto-run" vulnerability, so you're not safe just because you've turned that off.

The really interesting point is that this appears to be specifically targeting industrial controls, rather than just the usual attempts by spammers to take over home PCs for botnets. If you are using this type of software, this is probably a story to keep an eye on.

 

Here's another news story about the issue:

http://www.theregister.co.uk/2010/07/16/windows_shortcut_trojan/

 

Didn't see this coming at all: http://www.control.com/thread/1274356329#1274797743

This comes just days after I had to help a customer get a virus off of their HMIs at a site (infected USB thumb drive started it off). I think we're just seeing the beginning of targeted attacks like this.

 

I don't find the virus surprising at all, Windows virus writing has better support than many commercial programming products. What I do find surprising is that we are hearing about it. Considering how much expense and downtime it can cost to either prevent or fix this type of problem, I would think, like banks, vendors would like to keep word of these problems well suppressed. I would think that, basing a product on Windows, they would have disaster plans on this. After all, if, was never a question. When, was the only question. I would suspect this is far from the first, and won't be the last. Hopefully, there aren't many people interested in doing this, because the nature of these systems as aging and untouchable means the vast majority are extremely vulnerable.

Regards
cww

 

In reply to curt wuollet: I think that for many companies the disaster plan consists of not worrying about whether they're about to have a disaster. If you remember, the big black-out of a few years ago was due to a utility in Ohio cutting corners on long term maintenance for the sake of short term cost savings.

If I had to guess what this virus was about, it would be an organised crime gang planning to use it for extortion or commodity market manipulation. They already do things like this to certain types of on-line businesses who have to pay protection money or else face being D-DOSed off the Internet.

 

> There is a story at the following link that a new virus appears to be targeting HMI/SCADA systems. <

If you really want to open a HMI/SCADA system to the internet you should put some more thoughts in.

Eventually do not allow the internet users to input commands. Allow them only to view something.

Run your server application under a special user with low rights and outside group "users".

Use ssh for communication and configure the user under which your server is running with "commandline interpreter" = NULL Only allow the internet user to connect to your server application.

After logging in over ssh you might use an additional authentication before the HMI can be used.

For example:
- remember the IP address of the user

- ask him for his email address

- check if the email address is known and trusted

- send him a password via email that is for 1 time use only (random generated)

- read the password and make sure that it comes from the same IP address as the original user

Such unconventional authorizations need HMI/SCADA systems with high flexibility. Our http://pvbrowser.org can be made to do so because you fully control it in C/C++.

 

This particular case didn't involve network access. It was spread via USB flash drives. You simply plugged your flash drive in and the virus was in and taking over as soon as Windows Explorer tried to list the files. It isn't related to auto-run, so turning that off doesn't help. Fully patched MS Windows 7 systems are vulnerable, and at present no anti-virus software detects it.

Your SSH points are good, but most MS Windows users have no idea what that is and it isn't installed on a typical Windows system (which is what is being targeted here).

At the present time there doesn't seem to be anything that users of the targeted systems can do to protect themselves. I thought I would point out the problem however so that people are aware of it.

I don't think that anti-virus software will be a viable answer to this sort of thing. It's so narrowly targeted that the anti-virus vendors are not likely to hear about it until it is already widespread. Even when they do hear about it, it affects such a small market that it just won't be a priority for them.

 

Do you think it makes some sense that if you are running a HMI that is HP UX based, and are able to get support for the equipment, then it may make sense to keep your HMI on UNIX?

HPUX is very solid and over 10 years old now and no one that I know of cares about this or would even write a virus for it.

 

I would suggest to run HMI/SCADA servers on a system that is capable of shh (Linux/Unix). The client computer does not care.

Our http://pvbrowser.org client can use Putty on Windows to implement ssh. We then use the port forwarding function of ssh with the help of Putty.

 

HP will be supporting HP-UX customers indefinitely. They provide the hardware and the OS as a package, so they have complete migration paths for all their HP-UX customers. They have a lot of long time customers running critical business systems on their servers, rather like IBM's mainframe customers.

As for security, HP-UX would probably be a much more difficult nut to crack than MS Windows would be. It's not just a matter of whether anyone cares enough to write a virus for it. Unix has always existed in an environment where security really mattered, so it is something that has become baked into the fundamental design. What's more, Unix designers were usually willing to make fundamental changes to their system to fix any problems if that's what it took. That's why banks, stock markets, and other systems tend to run Unix or Linux.

MS Windows tends to run in a different environment. There are a lot of low value but poorly secured targets. An underground market for security exploits for MS Windows has sprung up to take advantage of that. People work at finding security holes, and then sell them to people who develop viruses, who in turn sell them to people who manage bot-nets, who then rent out the bot-nets to spammers. The profit margins are low, but there is a lot of volume to exploit.

Unix/Linux/BSD servers would be a very attractive target for these people if they could take them over, because they tend to be connected to a very fat Internet pipe which has the potential to spew out a *lot* more spam than a typical home PC on a DSL connection. However, there simply aren't a lot of security holes to exploit. Instead they do things like trying to guess your SSH password (which is what pvbrowser was talking about). So if your password is "password" or "abc123" you might have a problem. Another common approach is to simply phone you up and ask for your password. Believe it or not, people actually fall for that. The most productive approach though is to send a targeted virus to your desktop Windows computer which simply sits there and tries to sniff your passwords when you log on to the server to do some maintenance work. A chain is no stronger than its weakest link.

What I suspect may have happened in this instance is that someone bought exclusive rights to a new Windows virus and decided to try a different approach to using it. Instead of setting up yet another spam bot-net, they decided to go after some big businesses. The obvious use would be for extortion or commodity market manipulation.

MS Windows is a soft target and there's not a lot you can do to fix that. However, if you followed poor security practices on an HP-UX system (e.g. weak passwords), then you could be vulnerable there as well.

 

I'm sure you're right about their disaster planning. Just keeping up on the Windows platform has to be an ongoing disaster and as much as many firms can manage, maybe more, looking at the lag supporting the latest and "greatest". And it's extremely difficult to protect against, since suggesting to management that they shutdown the plant while you find and install upgrades is going to be a non-starter. Even if it weren't, it's only practical for the newest installations. The cost for the systems that have been in place for a while would quickly exceed the cost to start over. And of course, they would simply be added to the head of the line because they would use Windows again. They have been extremely fortunate to this point, implementing on an entirely unsuitable platform, but the chickens are coming home to roost. And this is far more serious than having your office desktop plant splashed. That's inconvenient and expensive, here the business and even lives can be at stake. Maybe this will be the wake up call to at least rethink those indefensible decisions, but I doubt it. MS marketing dollars will flow and arms will be twisted and there won't be any sane alternatives offered. At least not by the majors. Instead the pressure will be great to bring all the old diverse stuff up to the latest. And that will provide an even better homogeneous environment for these attacks.

Regards
cww

 

I didn't realize this security flaw was that bad. I don't like the flash drives, but they seem to be rampant for students. That is sad that you can hijack a PC because the OS wants to list some files when you plug in a storage device. When are they going to get the fact that someone using a computer should have some basic knowledge of a filesystem? I guess marketing a PC that is easy to use for grandpa is more important than security. Even that aside how the heck could explorer be so bad that it can be hacked this way?

KEJR

 

More about this problem and how to detect it:

http://www.sophos.com/blogs/chetw/g/2010/07/16/windows-day-attack-works-windows-systems/

Regards/Saludos

Gustavo A. Valero P.

 

First of all, shut off the USB ports should be a mandatory requirement on a control computer, just like you control ALL access.

Second, Curt, supporting properly ANY platform has become a full time job. Using the argument that "See using that most popular OS on the planet causes you to have these issues", is lame argument as it has been for ages. It is about market share, more market share, more people writing code to hack you system. IE Apple Iphone hacks starting to come out as they become the "defact" standard.

But don't blame the system for the attacks, this argument has been made now for well over 12 years and yet we continue to roll on what we know best......

Rant on

Dave Ferguson
Control Systems Engineer

 

In reply to Ken E: The link that Gustavo A. Valero P. posted is very interesting. Apparently, it's not just USB flash drives that are affected (that just happened to be the first mechanism discovered). If you're using something like Microsoft Sharepoint, that is an infection path as well. Network shares are also a problem. I'm sure that people will find more paths as well, as this is operating through a pretty fundamental Windows file system feature.

Two other important points are made. One is that the demonstration they show doesn't match Microsoft's description of what happens. Microsoft seems to be downplaying the seriousness of it. I think I'll believe the actual video.

The other is that Microsoft does not list MS Windows XP SP2 as being vulnerable. However, that is just because SP2 is no longer supported. It is still vulnerable just like XP SP3, Vista, and Windows 7. I expect MS to eventually come up with a patch to try to address this, but it may not cover MS Windows XP SP2. That's a rather interesting tie-in with another discussion we are currently having on unsupported software systems.

 

I would think it is worth considering. Or if you actually need updated HMI, use Linux or something other than Windows. If all you do with the nodes is HMI, Windows is not in any way relevant to a UNIX host and an unnecessary risk. Uptimes of a year or more are hard to argue with. And anybody who whines is one your most likely sources of this kind of virus. They want to do something else......

Regards
cww

 

Hi Dave

In the long list of criteria for determining the suitability of a product or system for a particular application, putting popularity at the top is exactly why we have this situation. Executing any old code plugged into a port is rather idiotic from a security standpoint, and what people ought to do is irrelevant if what they are required to do doesn't prevent this. Since nearly all of these products will install on anything that remotely resembles Windows and Windows, as supplied, leaves a great deal wide open, it is at least arguable that a great many installs will be left in whatever state they are in when the product starts working. There is a very small subset that is actually needed for the purpose, but everything but the kitchen sink is running and open for business. That's the popular method.

Now let's contrast that with how it should be done from a minimal security standpoint. The user still supplies the PC he got from wherever and it probably has infestations already. He takes the install CD he got from a trusted source and boots it. He enters the checksum and if it agrees, the install starts. It wipes the disk and boot sectors, overwriting at least the bootsectors. It then installs an OS that includes only what the application requires. Any options are disabled by default and enabled by the install if they are sold with the product. Once the OS is installed, the application is installed and tested. It boots into the application and does what it is intended to do. No golf, no solitaire, no social networking, no extra services, no automounter, no wide open browser, etc. Adds changes and deletes would require a secure login and would be locally and remotely (if possible) logged. Important filesystem partitions would be encrypted. You now have a secure HMI appliance. If desired, and for a good reason like development, you could also install on a GP OS version but that's your responsibility.

I can do this with Linux, OpenBSD, etc. I doubt very much it could be done with Windows.

Besides being reasonably secure, the resources required would be much less, support much easier and licensing much simpler. It would cost a lot less too. But it probably wouldn't be as popular. All it does is what it's supposed to. And, if you really want secure, it can run from a bootable CD and a ramdisk.

Regards
cww

 

In reply to David Ferguson: The USB vector was just the first entry point found. This is operating through a fundamental feature in the NTFS file system. People have now found other means unrelated to USB, and no doubt more will be found.

Talking about the specific vector used here is missing the whole point though. The really big news in this one is that this is a zero day exploit SPECIFICALLY targeted at control systems. The automation industry is now a primary target, rather than just getting accidentally hit by a general purpose virus. I don't recall having seen that before, but I don't think it will be the last time we hear it.

Up to now people have been sticking their heads in the sand and telling themselves that their little control system is too insignificant for the big bad hackers to notice. Well, now the big, bad hackers *have* noticed and are taking aim right at you. Yes you're right, people have been saying for years that this would happen. Well, guess what - it *has* happened, and we have to learn to deal with it because the issue isn't going to go away no matter how much we would like it to.

 

Curt:

I have a clean install and uses an automated install script that does only load the machine "flushed", it then implements domain (active directory) policies that lock the machine down, so that there is nothing on the desktop box except the programs needed to run the machine,

It also locks down the "user menu" (start button) so that they cannot load anything onto the machine, cannot play solitaire, cannot use the "web" (not connected to internet anyways), no run menus, etc. is on a separate control network that is VLAN'd etc.

Yet if I walk in with my credentials, I see everything and can use the USB ports etc, and if I put something into the machine that I do not know the origin of, then shame on me.

Now this took a lot of effort on my part over the years to play cat and mouse with what could and could not be done. I had to become a system administrator almost full time, for me it was a hobby so I enjoyed the LOST time. And because you have invested teh same time into Linux doesn't make me any smarter on Linux, any more than you on Windows.

I do not care who you are, the first criteria is that the OS is able to run the software that I need to run our equipment. I do not have time to roll my own PLC or HMI (how is that working out for you), sounds like you ran out of R & D money, this is the kind of money AB and Siemens etc. have all found out when they started to roll their own.. In order to get the MS Box to this state, I invested a lot of time to learn how to do all of these things and so would I on Linux.

Now I agree that the average user today just walks in and buys a PC downtown and loads some software and tries to run the plant and gets hosed. But this is not an issue with the OS, this is an issue with the fact that we run quarter to quarter and have let all the people who maintained, and invested in this stuff go ...........I had a co-worker who asked me once, why we were able to read and stay on top of this stuff and I said "Because no-one is stupid, like us"

We do not give the ones who are left any time to be controls experts, IT experts, maintenance experts, design experts, draftsmen, project managers etc, When you eliminate all of your expertise and yet expect things to keep instrument men, electricians, running, this way is what you get.

WE AUTOMATED TO GET RID OF BODIES AND MAKE MORE WIDGETS, BUT WE FORGOT TO ADD PEOPLE TO TAKE CARE OF THE AUTOMATION ..........not which OS I and most of the world runs on ..........

Have a great day:
Dave

 

You can run windows with the drive "mounted as readonly" / RAMDISK as well. Its not that common but can be done with a special driver. Windows Embedded comes with it, but I believe its available on its own for winXP (Maybe windows 7???).

I don't recommend windows on a critical system, but sometimes you purchase equipment and you have no choice. Usually they are plain vanilla winXP with no disk protection whatsoever. That is a choice of the vendor though, not microsoft. It is the vendors marketing choice to leave the PC as is so that people can feel comfortable with it, or maybe they don't know any better or don't bother with the extra hassle of making the disk write protected. There is inherent danger there, no doubt.

KEJR