PLC Security

Siemens and McAfee announced today that McAfee’s Application Control whitelisting product has been tested or modified to work with a variety of Siemens PC-based products that were compromised by Stuxnet. (HT: Smart Grid Security Blog) We have been very critical of Siemens response to Stuxnet over numerous blog entries and podcasts. This announcement is a good start, but it still does not appear to provide a solution for the PLC’s – – if I understand the product nomenclature correctly.

The Siemens’ software products that can be protected by McAfee’s Application Control are:

  • STEP 7 V5.5
  • PCS7 V7.1 + SP2
  • WinCC V7.0 + SP1
  • WinCC V7.0 + SP2
  • WinCC flexible 2008 + SP2

Siemens has attests to the compatibility saying “the compatibility tests included both Engineering and Runtime stations.”

At first glance I thought the STEP 7 or PCS7 was the software in the S7 Controller, where the actual unresolved and most critical vulnerabilities lie. I have a call in for more info from McAfee and Siemens, but it appears to only address the PC workstation and server components

Still this is a positive step that should be commended. Emerson, Invensys and other vendors have selected a Host IPS or white listing solution to integrate into their products. It is deployed and working. If your vendor supports a white listing solution, our recommendation is you should put it in the budget and work plan. We believe it is the second best technical control for ICS security, trailing only a firewall for perimeter security.

Siemens has selected McAfee’s Application Control, which is a white listing solution with “dynamic white listing via a trust model”. Actually this dynamic white listing has me a bit nervous in light of recent events showing you don’t want to trust all the certificates that Windows trusts. Configuration has to be done correctly, like any security product. Hopefully Siemens will take an active role in promulgating the recommended configuration on what is necessary in the white list for various components and even offer a deployment service as other ICS vendors supporting this technology have.

So now Siemens customers have a supported white listing solution for the OS, ES, WinCC and other workstation and server components that Stuxnet exploited and used to attack the PLC’s and process. They should crow a bit more about this and put out more information than the brief note on their site.

The timing of this PC solution in relation to the Stuxnet disclosure is actually not bad. The world learned of Stuxnet in July 2010. The world learned that Stuxnet actually attacked a specific process and the impact on the PLC from Ralph Langner in September. (Side note: I’m still amazed that ICS-CERT and Siemens are given a pass for having to learn this from a small, but excellent team in Germany). Getting a compensating control identified, tested and released in seven months is faster than usual for the ICS space.

Maybe Siemens has some solution in the works for the lack of authentication and authorization in the PLC’s. If so it would be a good idea to talk about how this major security flaw will be addressed in the future. Then they can flip from the vendor with the black eye from Stuxnet to the vendor leading the way in controller security.

Image by HermiG