Pierluigi Paganini December 03, 2014

Security researcher Billy Rios has created WhiteScope, a database containing hundreds of thousands of “known-good” files of SCADA and ICS software.

The cyber security expert Billy Rios has created WhiteScope, a database containing hundreds of thousands of “known-good” files from makers of SCADA and ICS software with the intent to support users to identify legitimate ICS/SCADA files.

“WhiteScope has over 300,000 files,” said Rios. “This includes all the files for GE Cimplicity and Siemens WinCC versions which were recently targeted by BlackEnergy. WhiteScope will have half a million files loaded before the end of the year, including device firmware files. My goal is to have a million files before the first quarter of 2015 ends.”

The WhiteScope archive includes files, file hashes and processes for ICS and SCADA application from major vendors, including Advantech, Rockwell Automation and Siemens.

“WhiteScope is a free service that compares file contents and file hashes with “known good” files from ICS/SCADA installation media. WhiteScope maintains a database of file hashes, registry changes, processes, and loaded modules for ICS/SCADA software. These artifacts were gathered from installation media and running systems. The whitelists can be used for initial triage during incident response engagements, security assessments, intrusion detection/prevention products.”

As explained by Rios, many ICS and SCADA software vendors don’t adopt digital signature for their products making hard to determine whether a file is legitimate.

“I have no idea why ICS/SCADA vendors don’t sign their software,” said Rios. “All the software on the iPhone and iPad is signed. All the files and even the games for the Nintendo Wii are signed! Instead of waiting for vendors to sign their code, I created WhiteScope.”

Be aware, the presence of a file in the WhiteScope database allow a user to trust it, but its absence does not necessarily mean that is malicious. Users should check the ‘Supported Products’ page to verify the presence of files related to a specific SCADA/ICS product,

“If the product is not in the list, please consider working with us to get a good set of hashes for that product,” is reported in the FAQ session “If the product is in the product list and the file doesn’t match anything we have, I would start an investigation on that file, have fun.”

Security of SCADA and ICS systems is an essential component for any cyber strategy, the number of uncovered attacks is in constant increase and according the experts there could be on going several hacking campaigns managed by APT that are able to remain under the radars for a long time. The WhiteScope archive another tool that experts could use to detect anomalous activities within their infrastructure.

“Hackers are targeting ICS and SCADA,” adds Rios. “Folks doing incident response in the SCADA industry are at a severe disadvantage. The basic metadata (known good hashes, known good registry writes, process information…etc) are all missing. The ICS/SCADA vendors should be providing this data, but in many cases they don’t even know themselves. Hopefully WhiteScope helps those in the ICS/SCADA industry develop better security tools for their ICS/SCADA environments.”

Pierluigi Paganini

(Security Affairs –  SCADA/ICS, WhiteScope)