New Windows Virus Targeted at Industrial Controls

D

David Ferguson

KEJR

And in the end.....that is all I am trying to point out, nothing more.

Do I think MS has a halo, no way. I just think that the real issue lies in the computer becoming a means to an end. The user when he /she chooses to use that tool, better know how to use it no matter if from Stanley or Craftsman. Switching hammers will not change this IMHO.

Now could it ship far more secure than it does.....absolutely, but those who do not know how to use a hammer demand that they do not and it is one of the skills of our job that we need to do, regardless of who made the hammer. And if everyone is using one hammer, the evildoers (always wanted to do that) will look at a way to exploit your hammer.

I have received many e-mails etc and know there are a lot of us out there, some of us just cannot resist a good debate....or are that stupid.

Dave Ferguson
 
In reply to Ken E: Ubuntu Linux avoids the problem by not even having a root (administrator) account while still requiring a password for things like installing software or changing system level configurations. You can create a root account if you know what you are doing (and have the password) but there is normally no real need for it. It's actually quite a convenient way of doing things once you get used to it. I think that Apple does something similar, although I'm not familiar enough with OS/X to say for sure how they do it.

As for security on MS Windows versus Linux (or BSD), the big security advantage that Linux has is less to do with the technical details and more to do with a Linux distro being an integrated solution from a single supplier. If there is a problem they can do whatever needs to be done to fix it properly. If the fix causes problems with any application software, they can just deal with that rather than trying to avoid side effects in software that depends on the bug being present.

On another note, I just saw a news report that Microsoft has just released a new set of security patches to fix a record number of security holes. One of the patches supposedly covers the Stuxnet virus (this is the one we have been talking about here). A fourth security hole which this virus can use is still not fixed yet however.
 
C
It is more secure. There is virtually no way to secure a normal PC from someone with physical access regardless of what OS you are running. So the root login on the console is really not an issue. After all, they can just steal the hard drive and be done with it. And unless you are installing the OS, they need to assign _some_ root password as root is always a separate entity. Otherwise you could not become root if they did not tell you what it is. (there are ways around this which I won't go into here.) And you need to be root to add users, etc.

But, usually, with this as a consideration, the only place you can login as root is at the console, which means that any remote login is running as a normal user. But, of course, you can change this to allow virtually anything. And I'm not saying you can't make a Linux system insecure. It truly is your system and belongs to you so you can do nearly anything. What I am saying is that a Linux system distributed by non-idiots will normally be more secure. The point is, that if you endeavor to distribute Linux, you can distribute it configured very securely and most do. The fact that you can also open everything up is a privilege where you bear the responsibility. Contrast this to Windows where you pretty much take what you get and have to take action to make it secure. Preloads can only be as secure as the people loading the OS make it. It is my contention that making this the responsibility of the distributor makes it far more likely to actually happen than depending on the user. We could very well have distributors who, rather than deal with security questions, take the Windows way out and disable security. But I haven't seen any distribution that does this.

Regards
cww
 
D

David Ferguson

Curt:

For EXAMPLE, Emerson supplies PC's for DeltaV that they approve, they then ship the PC to Austin and set the WINDOWS box up they way they want it secured and set up etc. Do they go far enough in my opinion ..... no because none is secure enough, but this is exactly what you are saying. If you choose to go a different route and supply your own PC then their tech support will not support you. There is about a 50 page document of the things they change from normal in their configuration.

Why do the other vendors not do the same.........because Emerson takes a lot of heat for the expense added to set these up with humans who know what they are doing. If I am going to take on that responsibility then I should know what I am doing.

Dave Ferguson
 
Curt,

I log into this particular embedded system over plain old not-very-secure Telnet with the vendor supplied default root password. I plan to change the password and use ssh in the near future...

My point is that just because it is Linux doesn't mean some company supplying it to you can't configure it, blow the doors off of security, and then ship it to you as a product.

KEJR
 
C
That does indeed accomplish the same thing, as much as Windows can be secured and still run popular software. But what you mention is exactly the problem with doing it that way. It takes time for each box. Now if you did it once and copied it to each machine then you could achieve both a measure of security and efficiency. But problems come in because MS doesn't allow just anybody to modify Windows and redistribute due to licensing concerns. They were sued about this by vendors that did want to boot to some other look for example. Very high volume sellers like Dell, might negotiate some some slack here, but it requires a Windows source license and a Windows license for every box sold, even Linux boxes, which I suspect is why a Linux box costs more than the same box with Windows. There may be other secret concessions. Linux doesn't have this type of licensing, so people at say, our level, can legally harden and redistribute and bundle with an application. I _am_ glad to hear that _someone_ is attempting to seriously address the problem. Maybe it will start a trend as the legal types figure out who the customer is likely to try to sue. Kudos to Emerson. Now, they should be able to simply Ghost the first machine and save lots of time and trouble. Many IT shops do this with a site license, but I don't think it is allowed for resellers. Imagine the problem they would have if someone offered "Secure Windows" for sale :^)

Regard
cww
 
C
I agree completely, it's yours to do as you like. But at least in your case, it's clear who is liable.

Regards
cww
 
> That does indeed accomplish the same thing, as much as Windows can be secured and still run popular software. But what you mention is <

---- snip ----

> There may be other secret concessions. Linux doesn't have this type of licensing, so people at say, our level, can legally harden and redistribute and bundle with an application. I _am_ glad to hear that _someone_ is attempting to seriously address the problem. <

We solved that problem by creating a CRC based checksum for all critical software parts ... that means the code of the softPLC itself and the code of the control application. So every modification of theses parts will be recognized.

Regards

--Armin

http://www.steinhoff-automation.com
 
C

Chris Jennings

It is interesting that just recently I have been working on a Windows based system that is used for recording video of events (paper breaks) on a paper machine. The computer all run WindowsXP embedded and are pretty much bullet proof. There are hardly any drivers installed on the machine, the USB ports don't work (much to my disgust because I can't run diagnostic software) and the network only has basic functionality.

I was trying to see if I could use a "generic" PC as a replacement for the old and obsolete P4 machines with IDE hard disks. The short answer is no, everything is tied to the hardware and Windows is pretty much there just as a basic environment for the software.

So you can make a bullet proof PC running Windows, but not generic Windows. The embedded versions have everything removed that you don't need. The disadvantage is that you tie the software directly to the hardware which could be a problem. Once again I think this puts the ball in the control system vendors court. Microsoft provide the tools and the software to make it possible to distribute a secure Windows based system, but people choose not to do that. Probably because clients want the flexibility and don't like vendor lock in. Perhaps the client is to blame?

Chris Jennings
 
D

David Ferguson

BINGO.........this is exactly my point, it can be done today but vendors and users choose not to do it and again it will be the same with Linux IMHO.

Dave Ferguson
Control Systems Engineer
 
In reply to Chris Jennings: MS Windows XP taken in original condition straight out of the box will not install or run on modern PCs (there are ways of working around this involving loading additional components via floppy disks during installation, but it's not for the faint of heart or the impatient). That may be the reason why you can't install it on a new PC.

In addition, Microsoft does not support an version of MS Windows XP prior to SP3. That means for example that there are no security patches or updates available for the virus we are discussing here. SP3 will be supported for another short while, but after that it's strictly MS Windows Vista and MS Windows 7 (until the replacement for MS Windows 7 comes out, at which point support for Vista gets dropped).

MS Windows XP Embedded is just MS Windows XP with some utilities to allow an OEM to repackage it to use less RAM and disk space and to add some custom branding. It has nothing to do with making the OS more secure or robust. If your copy doesn't have SATA support, then I rather doubt it has any security updates available, even assuming the repackaged version has the ability to install them. MS Windows XP Embedded is an obsolete product. Microsoft now has something intended for that market based on MS Windows 7, but it isn't as customizable to the same degree.

I don't think that MS Windows XP Embedded was really suitable for a "SCADA appliance" application. A SCADA system is probably going to have lots of RAM and hard disk space anyway as the SCADA packages and databases themselves are usually not very light weight. If you were going to do something like that with MS Windows you might be better off starting with one of their server versions, although most people would probably cringe at the cost. It would at least give you an install that didn't have rubbish such as trial software and toolbars installed.

What you would really want to be able to do however is to give a customer a disk that had the OS and application software together. Everything would get installed together and the application vendor could guaranty that everything was compatible and configured correctly. The vendor would also handle all updates (including OS updates), so they could test for any compatibility problems. All support problems would be handled by a single source with no finger-pointing between vendors.

As to whether Microsoft would allow third parties to do this with MS Windows, I can't say for sure, but I rather doubt it. They have become quite restrictive lately as to what you can do with their product. For example it used to be common for PC vendors to put their own splash screens on the boot process, but Microsoft doesn't allow that anymore as they want to elevate their own brand above that of the PC vendors.

I can think of quite a few companies who sell software-only "appliances" using Linux or BSD, but I can't think of a single one that does the same with MS Windows. A vendor can distribute MS Windows as part of a PC, but not as a stand alone customized package. Given the potential market for this in business applications, I imagine that Microsoft simply doesn't allow it.

Actually, I would bet that you could walk into the majority of businesses and find at least one MS Windows installation that was technically "pirated" even if paid for because one or more of the terms and conditions was transgressed in some manner. There are consultants who make a business out of figuring out Microsoft's license terms and explaining them to their customers.
 
C
I don't think so, because leaving security up to the client obviously doesn't work. And assuming they are competent to secure the PC is wishful thinking. And leaving the power plant PCs wide open because the night operator wants you to, is irresponsible.

Regards
cww
 
In reply to Chris Jennings: I had a look at the URL you posted, and I see I was wrong and they actually do have a version of MS Windows Embedded for Vista. I don't know where I got the impression that they didn't. Perhaps it hasn't been too popular.

Rather interestingly, their list of customer applications includes "SCADA devices". They are distinguishing a "device" from a "PC", so I don't think this would have been for a typical SCADA work station. Possibly it might be a panel PC with a "lite" version of a SCADA product? I haven't seen one however.

The products they listed by the way were not for a "software appliance". They assumed you are bundling hardware. What they are saying the "embedded" version gives you is "the flexibility to deploy a custom user interface". What that means more or less is that you can put your own brand name prominently on the screen.

I had a look at their support expiration dates for MS Windows XP Embedded, and they listed the following:

XP: 22-Oct-2004
XP SP1: 10-Apr-2007
XP SP2: 11-Jan-2011
XP SP3: No fixed date.

However, although this policy states that SP2 support is still in effect until next year, their actual support announcements for the Stuxnet virus (the one we are talking about here) don't include patches for SP2, only SP3. So regardless of what their general policy states, they don't seem to be supporting it. They have however been telling customers that they need to upgrade if they want support.

For XP SP3, they don't give a fixed support date and what information they do have just sends you around in circles. It looks like they are playing this one by ear. Since the embedded version is just a derivative of the normal desktop version that will probably depend on what happens in the general market, and right now the majority of their customers are still running MS Windows XP.

The length of their support lifetime however should really only be an issue for someone who doesn't plan on upgrading their SCADA system on a regular basis.
 
In reply to M. Griffin:

> MS Windows XP Embedded is just MS Windows XP with some
> utilities to allow an OEM to repackage it to use less RAM and
> disk space and to add some custom branding. It has nothing to

I just wanted to add one minor point in that the other use for embedded windows is to lock down the main filesystem for the equivalent of linux "read only root" with AUFS. In theory a simple reboot will get you back in business if some software went bonkers and rewrote some critical feature of the OS or application (could even be a simple virus...)

I'm pretty sure you can do this in regular windows but you have to download the right drivers and utilities to set it up.

I will say, however that in practice this is a bit difficult in that the way windows software is installed and configured does not lend itself to the read only filesystem very well. The windows embedded system lets you use a utility program on another PC to set up an image which can be transferred to the target machine.

I do like the linux command line approach better, once the filesystem is set read only with aufs you simply remount the root filesystem at the console (and with Debian) do apt-get and then remount as readonly. I've not set one of these up myself but I am currently using an embedded linux system that we purchased this way and it is slick.

KEJR
 
In reply to Ken E: "Locking down" a file system be marking it as read-only may prevent a legitimate program from accidentally writing to that volume, but it won't stop a virus. The virus would simply ignore the read-only marker, or else re-mark it as read-write, write to it, and re-mark it as read-only. A number of copy protection systems use the same techniques as viruses and subvert Windows so they can write to areas of the disk they would not normally be allowed to (e.g. right outside the normal Windows partition altogether).

On the other hand, read-only mounts are very handy in embedded applications, They're used in embedded Linux systems (as you described), and they're also used in live CD and live USB flash systems as well.

They're not really a security feature however, unless the actual media is read-only, either inherently as CD is, or otherwise (e.g. some flash drives used to have hardware write-protect switches).
 
K

Ken Emmons Jr.

In reply to M. Griffin:
> "Locking down" a file system be marking it
> as read-only may prevent a legitimate program from
> accidentally writing to that volume, but it won't stop a
> virus.

I know, that's why I mentioned a "simple" virus in my post. If they are writing to the boot sector of the drive or directly to the disk somehow, all bets are off! :eek:)

KEJR

 
There are new developments in the story about the MS Windows virus which attacks Siemens control systems. There is an AP news article that states the US government is taking an interest in introducing regulations regarding security for control systems. Here's a link to the story:

http://www.ctv.ca/CTVNews/SciTech/20101118/stuxnet-computer-virus-warning-101118/

The same story is also available from multiple other sources if you search for "Stuxnet virus could target many industries, experts warn".

The interesting points in the story are the following:

"They warned that industries are becoming increasingly vulnerable to the so-called Stuxnet worm as they merge networks and computer systems to increase efficiency. The growing danger, said lawmakers, makes it imperative that Congress move on legislation that would expand government controls and set requirements to make systems safer."

and also:

"(Michael Assante) ... encouraged senators to beef up government authorities and consider placing performance requirements and other standards on the industry to curtail unsafe practices and make systems more secure.

The panel chairman, Sen. Joe Lieberman, I-Conn., said legislation on the matter will be a top priority after lawmakers return in January."

From this it looks like there will be big changes coming up in some parts of the controls industry in the US. At this point however, I would predict the result will be lots of pointless paperwork, with suppliers and customers trying to pass off the responsibility to each other, but with no actual discernible benefits.

Real improvement will require significant changes in the way that the problem is approached, but that will probably require another major incident before people are sufficiently stirred to action.
 
C
I have to say I was intrigued and amused by the hilarious notion that this problem will be solved by legislation. Unless they move to prohibit Windows in critical places, I can't begin to think that legislation will cause people to do what common sense and basic engineering have failed to bring about. Like "Don't include a virus magnet in your design". Millions, perhaps billions, will be spent to avoid the simple solution. And it will include the best legislation that money can buy. Again to avoid the simple solution. And the problem will continue. We've seen this before. MS wins, everyone else loses. But almost everyone likes that. Strange.....

Regards
cww
 
I would like to steer this discussion back to the Stuxnet topic. Interestingly, this has been described as the first attack in a cyberwar. Many feel that the complexity of the virus is such that it must have been state sponsored and that Israel, America, China, [Insert nation here] must be responsible. It had to take several man-months to code and it took an in-depth knowledge of processes, PLC programming, etc. so it must be assumed that a team was involved. Any thoughts?

http://www.networkworld.com/community/blog/stuxnet-worm-and-cyberwar-what-happens-next

http://news.cnet.com/8301-27080_3-20023124-245.html
 
Top