SEATTLE — The US Department of Homeland Security's Industrial Control System Cyber Emergency Response Team (ICS-CERT) recently released an alert regarding malware that is targeting popular human-machine interfaces (HMIs) of industrial control systems. Based on a variant of the BlackEnergy malware toolkit, the malware infects HMI systems that have a direct connection to the Internet. Numerous vendors' products have been targeted in a campaign that appears to have been going on since 2012.
At the core of many modern industries resides a supervisory control and data acquisition system (SCADA) with an HMI providing operator access to and control of the devices within the system. In applications where an ability to remotely monitor or operate the system is required, the SCADA/HMI is often connected to the public wide-area network (a.k.a. the Internet) as the link to the remote operator. It is such installations that the BlackEnergy malware has been attacking.
ICS-CERT worked with multiple companies to identify the malware campaign and locate the vulnerabilities being exploited. At least three commercial SCADA/HMI software products are listed in ICS-ALERT-14-281-01A, including GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC for SIMATIC. Whether there are other vendors that have been targeted was not known as of the time of the alert.
The likely initial attack vector, according to the ICS-CERT analysis, appears to involve causing the HMI server to run a malicious screen file hosted on an attacker-controlled server. This file then installs the malware. The alert reports that "at this time, ICS-CERT has not identified any attempts to damage, modify, or otherwise disrupt the victim systems’ control processes," but cautions that such malware typically searches out removable media and network-connected file shares in order to move laterally within the victim's computer networks.
The SCADA/HMI software vendors are already starting to react to the alert. At GE's security reporting website, for instance, the company has already provided downloadable patches for some products, as well as a list of additional recommendations. Advantech reports that all versions of its WebAccess have been patched. Siemens reports that "experts from Siemens and ICS-CERT are investigating this issue and will provide information updates as soon as possible."
Industrial control system developers working with other vendors of SCADA/HMI software or developing their own, however, should consider testing the code they are using to see if they, too, are vulnerable to this malware. The ICS-CERT alert includes a YARA signature to aid in making this determination. Any positive or suspected findings should be immediately reported to ICS-CERT for further analysis and correlation.
— Rich Quinnell, Industrial Control DesignLine Editor