Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Security Researcher Creates Database of Whitelisted ICS/SCADA Files

Security researcher Billy Rios has created a database of hundreds of thousands of “known-good” files from makers of supervisory control and data acquisition (SCADA) and industrial control system (ICS) software.

Security researcher Billy Rios has created a database of hundreds of thousands of “known-good” files from makers of supervisory control and data acquisition (SCADA) and industrial control system (ICS) software.

The purpose of the database, which he has dubbed WhiteScope, is to help users identify legitimate ICS/SCADA files. The database includes files and file hashes for ICS and SCADA software from vendors such as Advantech, Siemens and Rockwell Automation.

“These artifacts were gathered from installation media and running systems,” according to a note on the ‘About’ section of the WhiteScope site. “The whitelists can be used for initial triage during incident response engagements, security assessments, intrusion detection/prevention products.”

Many ICS and SCADA software vendors don’t sign their products – a reality that can make determining whether a file is legitimate or not rather tedious.

“I have no idea why ICS/SCADA vendors don’t sign their software,” Rios told SecurityWeek in an email. “All the software on the iPhone and iPad is signed. All the files and even the games for the Nintendo Wii are signed! Instead of waiting for vendors to sign their code, I created WhiteScope.”

If a hash/file is not in the database, it does not necessarily mean it is malicious – only that WhiteScope has not seen it previously. In that case, if the file is not signed, users should check WhiteScope’s ‘Supported Products’ page to make sure the product they are looking at is on the product list.

If the product is not in the list, please consider working with us to get a good set of hashes for that product,” according to a FAQ on the site. “If the product is in the product list and the file doesn’t match anything we have, I would start an investigation on that file, have fun.”

“WhiteScope has over 300,000 files,” Rios noted. “This includes all the files for GE Cimplicity and Siemens WinCC versions which were recently targeted by BlackEnergy. WhiteScope will have half a million files loaded before the end of the year, including device firmware files. My goal is to have a million files before the first quarter of 2015 ends.”

“Hackers are targeting ICS and SCADA,” he continued. “Folks doing incident response in the SCADA industry are at a severe disadvantage. The basic metadata (known good hashes, known good registry writes, process information…etc) are all missing. The ICS/SCADA vendors should be providing this data, but in many cases they don’t even know themselves. Hopefully WhiteScope helps those in the ICS/SCADA industry develop better security tools for their ICS/SCADA environments.”

Written By

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

ICS/OT

Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.