MGD Services Inc.

Information Security- Truly a Hot Topic

Posted on 28. Jul, 2010 by ggunn in Blog

July in New Jersey has been the hottest month on record – ever – and now Information Security is a hot topic too.   It could affect your building’s HVAC.  A virus has been discovered that targets Siemens control systems.  Take a look.

 Information Security – “One if by WAN and Two if by USB”

An emerging threat directed at automated process control systems

During the last week, news has broken concerning a new computer virus.  It is not the same type of virus we have heard about over the previous several years.  It isn’t spread by spam or infected websites and it won’t even attack your smart phone.  This virus has been specifically designed to attack an industrial process control system.  ( http://cwflyris.computerworld.com/t/658770/  )It doesn’t arrive by LAN or e-mail – it is designed to be spread by a USB-key (or drive) inserted into the control system. 

Even an infected USB drive isn’t all that novel, so what is the concern?  And, most probably, what is an industrial process control system, anyway?

Process controls systems are the automation of basic electronic and mechanical functions on the plant floor or involved in facility control.  They are not the PC-based programs or packages that most business automation or programing personnel are familiar with.  They have been around for decades and are usually very large, proprietary systems that are dedicated to repetitive tasks (chemical production, refineries, tablet finishing, packaging and water treatment plants) over a long period of time.  They also predate Windows and weren’t even designed to interface with that operating system.

These systems have names that most users are not familiar with:  PLCs, SCADA and DCS.  The PLC’s directly control a task, step or a single line that may have a reactor, a mill or a transfer belt.  PLC stands for “Programmable Logic Controller” and runs programs called “Ladder Logic.”   The SCADA (Supervisory Control and Data Acquisition) is a higher level system that may have oversight control of multiple PLCs as well as receiving and storing their data.  (PLCs have extremely limited memory and may show data on their panels but don’t store it for any length of time.)  The largest systems are called  Distributed Control Systems or “DCS.”  These will have large programs and oversee a facility with multiple PLCS or pieces of equipment.  Information will come to the DCS from thousands of points and will have libraries of recipes or sequences, as well as data archiving or ‘historian’ functions for the act ivies they control. 

The key point is that the DCS ( and to some extent SCADA, as well) are relatively few in number, compared to the number of workstations or PCs in an enterprise.  (The DCS will usually be a minimum of $1 Million USD or more.)  Their proprietary nature has until recently kept them safe from PC viruses and other issues because they were islands of automation, unconnected to the windows world, and they were written in programs that had no connection with the tools hackers use or had even heard of.  All of that changed last week.  The first incident of a virus being written to specifically attack that type of proprietary system has been located.  The specific vendor system was Siemens.  (If that doesn’t give you a chill, consider that Siemens is a major vendor for building temperature monitoring and control of  the HVAC or ‘heat and air-conditioning’ systems.)  It was designed to be delivered through a USB connection, not through a website or e-mail. 

Siemens has informed it’s customers of this exploit and is passing out code to remediate the problems.      (  http://news.cnet.com/8301-27080_3-20011159-245.html ) They have also given the warning that since very customers system is different, the act of removing  the code may have unintended consequences.  Since physical security over the USB ports can block this, it might seem that this would be an easy threat to handle.  The larger risk to be considered is that if  the hacking community has started to pay attention to systems that can turn off the air, the water or the lights, what will they do with those system once they are breached.  Time will tell.           

Provided by John English: http://www.linkedin.com/in/johntenglish