Here we provide information about the latest developments and the measures recommended by Siemens for handling Stuxnet.
|Updated||Current status of infected computers|
|11.03.2011||To date a total of 24 Siemens customers in the industrial sector worldwide have reported being infected with the Trojan horse. The malware was able to be removed in all cases. In none of these cases did the infection have an adverse impact on the automation solution.|
|Recommended procedure to identify and remove a Stuxnet infection|
We recommend examining the following types of computers:
- Embedded systems (e.g. Microbox)
- Other computers
- Infrastructure computers (file servers, domain controllers, other servers...)
- Computers with and without WinCC installation
- Virtual machines (e.g. VMWARE installations)
Proceed as below to implement the various measures.
Always make a backup of ZIP files before scanning. ZIP files of > 1 MB should be unpacked before scanning to ensure that the data they contain is scanned.
A) Embedded systems
These systems must be scanned from a second computer (non-embedded system) over released drives.
- Update the second computer as described under "Other computer" to prevent mutual reinfection; connect drives of the embedded system to the second computer.
- Open the Windows Explorer on the second computer => select connected network drives with a right-click => start the relevant virus scan.
B) Other computers:
- Determine whether your Microsoft Windows computer is affected by the virus
- If a virus is detected, please proceed as follows.
If your computer is infected, always inform your Siemens Customer Support and together work out the next steps for your computer installation and for your plant:
- Install the Microsoft Patch.
- Disconnect the computer immediately from the network.
- Create a standard user, but remain logged on with administrator rights to execute the SYSCLEAN tool and the SIMATIC Security Updates. Clean the computer using "Sysclean" with the "Automatically Clean Infected Files" function enabled.
( 16 KB ) Please click the picture.
- Install the SIMATIC Security Update.
- Restart the computer. Log on as standard user.
- Re-run the virus scan with the virus scanner you have installed and leave the virus scanner running permanently.
- Please make sure that you unpack packed files, ZIP files, for example, into a separate directory before doing a virus check. With certain settings of the virus scanner it might be the case that packed files are not checked thoroughly for a virus infection. Unpacking packed files ensures that a complete check is made in each case by the scanning mechanism.
- Reconnect the computer to the network.
The following safety precautions also apply:
- All connections with the outside world must be checked and cleaned (customer data, USB devices, others).
- If possible, do not use any third-party USB sticks and/or mobile data carriers. Always check the safety concepts. For example, disable/uninstall services that are not needed. Installation of the Microsoft Patch is recommended for the operating systems listed by Microsoft.
|Further technical information|
|Important note on the use of virus scanners for packed files|
Please make sure that you unpack packed files, ZIP files, for example, into a separate directory before doing a virus check. With certain settings of the virus scanner it might be the case that packed files are not checked thoroughly for a virus infection. Unpacking packed files ensures that a complete check is made in each case by the scanning mechanism.
|Information about the SIMATIC controllers CPU 315-2 and CPU 417|
The malware carries its own blocks (for example, DB890, FC1865,1874) and tries to load them into the CPU 315-2 and integrate them into the program sequence. If the above-mentioned blocks are already present, the malware does not infiltrate the user program. If the above-mentioned blocks were not present in the original program of CPU315-2 and are now detected, the virus has infected the system. In this case it is urgently recommended to restore the plant control system to its original state. When using the CPU 417 and a DB 8061 already in the project, the malware might possible change this when downloaded. If the DB8061 is not available in the project, there is no need to do anything.
Compatibility of the Microsoft updates with SIMATIC applications
The Microsoft Patch KB2347290 has been tested successfully for compatibility with SIMATIC WinCC and SIMATIC PCS 7.
The latest information about other Microsoft updates is available at this link:
Security note to Siemens Tecnomatix FactoryLink
Siemens_Security_Advisory_SSA-630126.pdf ( 70 KB )
|Tool for identifying and removing Stuxnet|
SIMATIC Security UpdateNotes:
- Please follow the installation and usage instructions - excerpt:
"...If you perform the update according to the Microsoft Security Advisory "2286198", then the icons will be replaced with standard Windows icons. Make sure that you assign meaningful names to your desktop links and those in the Windows Start menu to easily recognize them later. After a Microsoft Security Update has been made available you will receive another SIMATIC Security Update to restore the icons...".
- The SIMATIC Security Update checks whether the Microsoft Security Patch is installed:
Microsoft Patch installed => Microsoft Patch function "Delete icons" is reversed (so that it is possible to work with the computer)
Microsoft Patch not installed => Icon protection is activated; otherwise there would be no protection
- Link to the download (updated: 24.01.2011, V1.0 SP1)
SIMATIC_Security_Update_V1_0_SP1.exe ( 9562 KB ) ; checksum ( 755 bytes )
|Microsoft Patch is available to close the Microsoft security gaps|