Critical infrastructureSiemens: Removing SCADA trojan may disrupt power plants

Published 26 July 2010

Siemens last Thursday made available to customers a tool which would detect and remove a Trojan worm infecting the company software — software used in controlling and monitoring U.S. critical infrastructure facilities and other industrial processes; trouble is, the use of the company warned customers that using the program could disrupt sensitive plant operations

Last Thursday Siemens began distributing a program to its customers, making it possible for them to available for detecting and disinfect malware attacking its software used to control power grids, gas refineries, and factories (“Malicious virus targets SCADA systems,” 20 July 2010 HSNW). The company said, though, that using the program could disrupt sensitive plant operations.

The solution the company is distributing is called Sysclean, a malware scanner made by Trend Micro. It has been updated to remove Stuxnet, a worm that spreads by exploiting two separate vulnerabilities in Siemens’s SCADA, or supervisory control and data acquisition, software and every supported version of Microsoft Windows.

As each plant is individually configured, we cannot rule out the possibility that removing the virus may affect your plant in some way,” Siemens warned. The company also advised customers to keep the scanner updated because “there are currently some new derivative versions of the original virus around.”

Siemens says that Stuxnet has infected the engineering environment of at least one unidentified Siemens customer, and has since been eliminated..

Dan Goodin writes that Siemens has come under criticism for not removing the vulnerability two years ago, when, according, the default password threat first came to light.

Chris Wysopal, CTO of application security tools firm wrote, wrote Thursday that “Siemens has put their customers at risk with this egregious vulnerability in their software.” He added: “Worse, in my book however, is all the customers who purchased the software not knowing of its risk. Software customers that are operating SCADA systems on critical infrastructure or their factories with the WinCC software had a duty to their customers and shareholders to not purchase this software without proper security testing.”

Goodin notes that Siemens has updated WinCC to fix the vulnerability. Microsoft has issued a stopgap fix but has not said yet when it plans to patch the Windows bug.