WinCC vs MS Security Patches

I ran across an interesting Tweet today from @siemensindustry about Microsoft security patch compatibility with WinCC. It points us at a page on the Siemens web site that is kind of scary at first glance, but is actually quite valuable for owner/operators of Siemens WinCC control systems.

The Scary

The article on this Siemens page starts out with a warning:

“In response to current events (new Trojan horse / virus), [emphasis added] we recommend consulting the Microsoft Security Bulletin MS10-046 - Critical.”

Now I don’t keep up with MS security bulletins real closely (I do automatic updates on my personal computer to avoid that necessity), but that number did seem kind of familiar. I clicked on the link provided and it became obvious why I remembered that particular bulletin number; the title of the bulletin is “Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)” and is dated August 24^th, 2010. Yes, it is the update for one of the Stuxnet ‘0-day’ vulnerabilities.

The date for this page is 2012-01-09 (translated from European to American – 01-09-12) so I immediately jumped to the conclusion that Siemens was just now dealing with this basic Stuxnet related vulnerability. A little closer reading would seem to indicate that this is a long standing Siemens page that has just been updated for the latest (December) Microsoft Windows patches.

I would like to think that all Siemens WinCC owner/operators have already installed this particular security patch, making this confusing note on this Siemens page superfluous. That is probably a dangerous assumption on my part and Siemens is playing it safe, but I do wish they would re-word that opening paragraph to make it seem less timely. Oh, and Siemens could at least mention the name of the Trojan (Stuxnet).

The Valuable

Siemens does provide a valuable service to their customers on this web page (and there is a similar page for their PCS 7 system. There is a link to a spread sheet that provides a list of the Microsoft security patches that Siemens has tested for compatibility with their WinCC system. This is important because a minor incompatibility problem between a Windows update and a control system program can shut a manufacturing facility down or even damage equipment.

The latest Microsoft release covered on this spread sheet is the December 13^th release and the earliest is 6-8-2004. At first glance it looks like all of the patches are compatible, but close examination shows some problems (See MS11-025). Siemens does note that a newer version of the patch does work on their system.

Siemens is to be commended on providing this service to their customers and I’m glad to see that they are also using TWITTER to help push this information out to the user community.

I do have a minor concern about the delay (December 13^th to January 9^th) in the publication of the compatibility information, but I do realize that the type of comprehensive system testing that is required takes some time. It would be nice if Siemens and Microsoft could work out some sort of arrangement where Microsoft could give Siemens some type of advance notification on their patches to allow Siemens to begin the testing process earlier.

A Concern

There is a link on this Microsoft Patch Compatibility page to a separate page entitled: “Why should you not install the Microsoft security patches KB2467174, KB2467175, KB2465361 and KB2465367 in WinCC, PCS 7 and WinCC Professional V11?” This is apparently a follow-up to the incompatible patches (MS11-025) that I mentioned above. The page explains that:

“Installation of one of the Microsoft security patches KB2467174, KB2467175, KB2465361 or KB2465367 causes a massive drain on resources (increase in handles) in WinCC Runtime (OS Runtime, WinCC Runtime Professional V11). This consumption of resources can lead to a standstill of WinCC Runtime.”

That certainly is not a good thing for a control system and owner/users would apparently be well advised not to install these patches.

Unfortunately, the vulnerabilities corrected by these patches would still exist in the Windows operating systems and thus make the Siemens control systems vulnerable to attack through those Windows problems (See Stuxnet). There is nothing on this page that indicates what other mitigating steps an owner/operator could take to protect their control systems from the vulnerabilities now made public by Microsoft.

Since Siemens does make the information available on their spread sheet, it is not a total loss, but a mention here would be appropriate. Also there must have been some lag time before those newer patches became available. There must have been some sort of partial mitigation steps that could have been employed to protect the control systems in the interim.