WinCC as Email Source

Earlier this week a Tweet from @siemensindustry pointed to an interesting application note on the Siemens web site. It describes how to set up the WinCC Runtime Professional V11 so that it can send an email to selected email addresses as part of an ICS status update program. According to the document (pg 5) the WinCC Runtime Advanced V11 already has a standard function to accomplish this task.

As a process chemist I can certainly envision a number of situations where it would make process monitoring easier if I were automatically notified when certain process conditions occurred. This could allow process personnel to monitor certain portions of the production process, schedule non-automated processes, or even decide that it was a good time to go to lunch. In other words; it is just another of those external communications that are just too useful to forgo for something as ambiguous as security.

Security Precautions

Don’t get me wrong, Siemens does not ignore the security aspects of this application. They include a prominent ‘Caution’ statement on the first page of the document (okay page 2, but page 1 is just a cover page) that reads in part:

“In addition, please note that suitable security measures in compliance with the applicable Industrial Security standards must be taken, if your system is interconnected with other parts of the plant, the company’s network or the Internet.”

This is, of course, standard boilerplate language found in nearly every application note published on the Siemens site and includes a link to the Siemens’ security document. If this were specific to this application it would not be unnecessary to include the phrase “if your system is interconnected…”; an email application requires such an interconnection to function.

However, since the email function described is a send-only function (there is, after all, no purpose served by the ICS receiving an email) one should be able to set up this application as an out-going communication via a network linkage that does not permit incoming traffic. One caveat to that is that for emails going to operators (specifically mentioned) their email receiving must be done on a computer not attached to the control system network.

How it Works

I’m not going to waste the time and effort to describe how to set this up. It takes Siemens 42 pages to describe the various aspects of setting up this application. Okay, I could probably do it in half the space, but that is still too long for a blog and most readers don’t really care. But here is the brief story.

First you set up an email account for the control system computer. This can be an account on the corporate email system or on any of a number of free email providers. Most of the providers that Siemens tested are German companies (see page 12), but they did include Yahoo and Gmail. The emails can even be sent as text messages to a mobile phone.

Next a set of email addresses is set up in the application. Provisions are made for setting emails addresses for each shift as well as other pre-set individual. Then alerts are set to trigger emails to individuals (including someone on the current shift) or groups. Each alert would include the language to be sent in the email. Alerts can be triggered by either digital or analog events.

Potential Security Problem

One of the problems that an attacker might have at many high-risk chemical companies is determining the optimum time for attacking the facility. Attacking a chemical storage tank containing a release chemical of interest (COI) may be difficult because of security controls around the tank area. The same would probably be true for processing areas of the facility.

Chemical transfer lines, however, are much more difficult to protect as they frequently have long runs and there are usually areas that are not readily observable along their length. These lines are normally blown clear after their use to reduce the risks associated with the chemicals. So a successful attack on the line could only be conducted when a transfer is occurring. An attacker would need to know when valves were open or pumps operating to know when to attack a transfer line.

Now I don’t see any way in the application note that would allow an outsider to set up an alarm to notify an attacker of the appropriate control system actions, but then again I’m sure that Siemens is smarter at that sort of thing than I am. Of course hackers are finding ways into systems all of the times and an insider could set up an outside email address without too much problem or insert a new alert trigger for his account.

There is one security measure that Siemens apparently overlooked in setting up this application. According to the diagram on page 15 they do add an entry to the system log file every time an email is sent, but there is no indication that an entry is made when a change is made to the list of email addresses or alert triggers. If the facility cybersecurity manager is monitoring system log files (always a good security move), the unauthorized change to the email list or alert triggers should serve as a security warning.