Adversaries may infect Siemens PLC project files (i.e., Step 7, WinCC, etc.) to achieve Execution, Persistence, and Lateral Movement objectives. Adversaries may modify an existing project file or bring their own project files into the environment.[1]
The ability for an adversary to deploy an infected project file relies on access to a workstation with Siemens PLC programming software installed on it from which a program download can be performed.
| ID | Name | Description |
|---|---|---|
| S0603 | Stuxnet |
Stuxnet copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded. [1] |
| ID | Asset |
|---|---|
| A0001 | Workstation |
| ID | Mitigation | Description |
|---|---|---|
| M0947 | Audit |
Review the integrity of project files to verify they have not been modified by adversary behavior. Verify a cryptographic hash for the file with a known trusted version, or look for other indicators of modification (e.g., timestamps). |
| M0945 | Code Signing |
Allow for code signing of any project files stored at rest to prevent unauthorized tampering. Ensure the signing keys are not easily accessible on the same system. |
| M0941 | Encrypt Sensitive Information |
When at rest, project files should be encrypted to prevent unauthorized changes.[2] |
| M0922 | Restrict File and Directory Permissions |
Ensure permissions restrict project file access to only engineer and technician user groups and accounts. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0906 | Detection of Siemens Project File Format Infection | AN2049 |
Monitor for unexpected changes to project files, although if the malicious modification occurs in tandem with legitimate changes it will be difficult to isolate the unintended changes by analyzing only file systems modifications. |