If you are involved in industrial automation you’ve probably heard of the recent discovery of a virus that specifically targets Siemens WinCC and PCS 7 applications using a default password. The virus exploits a previously unknown Windows vulnerability that allows the virus to install and spread via USB memory sticks. While much has been written about this, the best source for the basic facts is the Siemens page on their Product Support site. Other sites offer more in-depth analysis which may also be of interest. A number of solutions are being developed and tested including a Microsoft patch to close the security breach at the USB interface, virus signatures updates by major anti-virus scanning suppliers to detect and eliminate the virus and a utility from Siemens to check Windows PCs.
The existence of a virus that specifically targets an industrial control system application and the skill with which it was written and deployed prove that the threat of cyber attacks on control systems is real. While we are confident that the measures Siemens and others are taking will be successful in removing this specific virus from infected systems we believe that this incident must serve as a wake-up call to all suppliers, integrators and operators of industrial control systems to review their cyber security policies, practices and product/system designs.
The first step for concerned owners/operators of industrial controls systems (after performing any urgent mitigation procedures from their suppliers) should be a control system cyber security review and gap analysis. These assessments, which can be performed by a qualified third party or by internal resources, provide plant staff and management with a review of a facility’s existing industrial automation and control systems environment compared with industry standards and best practices such as ISA 99.02.01-2009 and NERC CIP. The output should be a report that identifies the gaps found during the assessment and provides recommendations to assist the organization in prioritizing and addressing these gaps.
Exida, is a consulting services company focused on helping our clients improve the safety, security and reliability of their automation systems. With the knowledge we gained through our 2009 acquisition of Byres Research, world-renowned experts in control system security, we have developed a Control System Cyber Security Review and Gap Analysis service that offers clients an affordable assessment of their current system architecture, implementation, policies, practices and procedures. We perform a gap analysis to all relevant industry standards and best practices and also to their suppliers documented security guidelines such as the Siemens WinCC and PCS 7 Security Concept whitepaper. We have developed our own efficient methodology and have considerable experience performing these assessments in refining, chemical, power and water/wastewater clients. We are in a unique position because our employees have experience as former product developers and specialists (Siemens, ABB, Moore Products) or former control engineers in process plants. Through the Byres acquisition we also have IT Security experts who have spent the last 10 or more years focused on process automation system security. Our goal is to provide our clients an understanding of where they are, where they need to be and how to cost effectively get there.