Security Researcher Creates Database of Whitelisted ICS/SCADA Files

Security researcher Billy Rios has created a database of hundreds of thousands of “known-good” files from makers of supervisory control and data acquisition (SCADA) and industrial control system (ICS) software.

The purpose of the database, which he has dubbed WhiteScope, is to help users identify legitimate ICS/SCADA files. The database includes files and file hashes for ICS and SCADA software from vendors such as Advantech, Siemens and Rockwell Automation.

“These artifacts were gathered from installation media and running systems,” according to a note on the ‘About’ section of the WhiteScope site. “The whitelists can be used for initial triage during incident response engagements, security assessments, intrusion detection/prevention products.”

Many ICS and SCADA software vendors don’t sign their products – a reality that can make determining whether a file is legitimate or not rather tedious.

“I have no idea why ICS/SCADA vendors don’t sign their software,” Rios told SecurityWeek in an email. “All the software on the iPhone and iPad is signed. All the files and even the games for the Nintendo Wii are signed! Instead of waiting for vendors to sign their code, I created WhiteScope.”

If a hash/file is not in the database, it does not necessarily mean it is malicious – only that WhiteScope has not seen it previously. In that case, if the file is not signed, users should check WhiteScope’s ‘Supported Products’ page to make sure the product they are looking at is on the product list.

“If the product is not in the list, please consider working with us to get a good set of hashes for that product,” according to a FAQ on the site. “If the product is in the product list and the file doesn’t match anything we have, I would start an investigation on that file, have fun.”

“WhiteScope has over 300,000 files,” Rios noted. “This includes all the files for GE Cimplicity and Siemens WinCC versions which were recently targeted by BlackEnergy. WhiteScope will have half a million files loaded before the end of the year, including device firmware files. My goal is to have a million files before the first quarter of 2015 ends.”

“Hackers are targeting ICS and SCADA,” he continued. “Folks doing incident response in the SCADA industry are at a severe disadvantage. The basic metadata (known good hashes, known good registry writes, process information…etc) are all missing. The ICS/SCADA vendors should be providing this data, but in many cases they don’t even know themselves. Hopefully WhiteScope helps those in the ICS/SCADA industry develop better security tools for their ICS/SCADA environments.”