Mitigation tool for post-Stuxnet malware: The Langner Controller Integrity Checker

We are proud to announce the first hardcore mitigation tool for post-Stuxnet malware: The Langner Controller Integrity Checker, or CIC. CIC is a software solution that checks the integrity of network-attached S7 controllers. Changes in code, data, and configuration will be detected and reported automatically. CIC is a small-footprint command line tool that can be called from existing monitoring applications, such as Nagios, from user-created scripts, or from the Windows task scheduler. This allows for user-configurable intervals of integrity checks, leaving it up to the user how closely individual controllers need to be monitored. Since CIC does not download the controller’s complete code and data blocks, controller and network load is minimal, allowing for check intervals down to one minute without negative effects on CPU cycle time or network interface load.

CIC reports if controller configuration and code has changed since the last execution. Users without an existing monitoring solution in place, into which CIC can be integrated, may simply use the Windows event log instead.

While it has often been said that a strong defense-in-depth approach could prevent Stuxnet-inspired attacks, this is actually not true. One of the biggest security threats in today’s control networks is created by direct controller access from portable field engineering stations, and from remote maintenance access, both originating from legitimate and authorized systems and users and circumventing all layered defense mechanisms. So while a defense-in-depth approach helps against conventional malware and hacker threats, it actually is insufficient to address the threat of compromised engineering workstations, which are often ill-protected against malware.

While the ultimate protection against Stuxnet-like controller infections will be digitally signed code, this will require a new generation of controllers. The next best thing is detecting and reporting code and configuration changes. So while the Langner CIC does not prevent unauthorized changes, it does detect them, allowing the asset owner to respond before disaster strikes. An additional benefit is that non-malicious changes, such as accidental or non-reported changes by contractors, are detected also. In the past, such non-malicious changes have already caused many costly problems, including downtime and quality loss.

The Langner CIC uses its own built-in driver software to access the controller, making sure that a compromised driver DLL from the vendor will not result in false-negatives. Multiple controllers may be monitored from one system. License fees start at 29 Euro (around 40$) per controller, depending on volume. For more information please contract sales(at)langner.com. Export restrictions apply.