I just received an update from Siemens Industry. Right now, the target appears to be Siemens (my guess is a particular target of “industrial espianage” but who knows). I would caution everyone, though to read this and take the steps to ensure you’re not introducing anything into your systems. Who knows who might be next?
This is the Siemens statement in full:
Immediately upon notification of the virus on July 14, Siemens assembled a team of experts to evaluate the situation and began working with Microsoft and the distributors of virus scan programs to analyze the virus.
The Trojan/virus is spread via a USB stick, using a security breach in Microsoft Windows. The virus, which affects operating systems from XP upward, detects Siemens WinCC and PCS7 programs and their data.
Siemens has now established through its own tests that the software is capable of sending both process and production data via the Internet connection it tries to establish. However, tests have revealed that this connection is not completed because the communication partners/target servers are apparently inactive. As part of the ongoing analysis, Siemens is checking to see whether the virus is able to send or delete plant data, or change system files.
We are informing our customers and investigating how many systems could be affected. Currently, there is only one known case in Germany of infection which did not result in any damage. We do not have any indication that WinCC users in other countries have been affected.
What platforms are affected/may be affected? Based on current information, the only platforms that may be affected are those where access to data or the operating system is possible via a USB interface. Normally every plant operator ensures, as part of his security concept, that non-restricted access to critical SCADA system data via a USB interface is not possible. Additional protective devices like firewalls and virus scanners can also prevent Trojans/ viruses from infiltrating the plant.
The following solutions are being developed:
- Microsoft will be offering an update (patch) that will close the security breach at the USB interface.
- Suppliers of virus scanning programs have prepared up-to-date virus signatures that are currently being tested by Siemens. The virus scanners will be able to help detect and eliminate the virus.
- Siemens is also developing a software tool that customers can use to check a Windows PC and determine if it has been infected by the virus. The tool will be distributed via the Siemens Advisory: English; German.
- Siemens will also be providing a Simatic Security Update with all the necessary functions.
What immediate action should customers take?
- Do not use any USB sticks
- Install updates as soon as they become available.