Researcher Releases Database of Known-Good ICS and SCADA Files

A prominent security researcher has put together a new database of hundreds of thousands of known-good files from ICS and SCADA software vendors in an effort to help users and other researchers identify legitimate files and home in on potentially malicious ones.

The database, known as WhiteScope, comprises nearly 350,000 files, including executables and DLLs, from dozens of vendors. Among the vendors represented in the database are Advantech, GE, Rockwell, Schneider and Siemens. The project is the work of Billy Rios, a former Google security researcher who has worked extensively on ICS and SCADA security issues. WhiteScope is a kind of reverse VirusTotal for ICS and SCADA files, allowing people to determine which files are known to be good, rather than which are detected as malicious.

“While participating in a few incident response engagements, I realized it’s fairly difficult to know what is a ‘legitimate’ ICS/SCADA file and what is not. Given the overwhelming majority of ICS/SCADA vendors refuse to sign their software, we’re stuck with determining whether files like ‘FTShell.dll’ or ‘WFCU.exe’ (both legitimate files btw) are really supposed to be there. With this problem in mind, I started a database of all the files I’ve seen on ICS/SCADA systems, so that others can compare notes,” Rios wrote in the FAQ for the site.

Users can submit hashes of a given file or upload the file itself to the site. Vendors who sell ICS and SCADA products find themselves in much the same position now as traditional vendors were 10 or 15 years ago. Security researchers are regularly turning up serious buffer overflows and other vulnerabilities in these industrial control and SCADA systems, some of which are used to control utility facilities, nuclear plants and other critical operations. Rios was one of the first few researchers to focus on this sector several years ago and has discovered vulnerabilities in products from many of the vendors in the WhiteScope database.

He said via email that the current iteration of the database is just the first version and that it represents about half of the software he has.

“I have 300,000 files in WhiteScope right now, and I plan to have half a million files in WhiteScope by the end of the year. I’ll have over a million the first quarter of 2015,” Rios said.

“Getting access to the software is the most difficult part, to get the artifacts that allowed WhiteScope to be created, it took over 5 years.  If someone was more focused, they could probably do it in less time.”

Rios added that while some of the files in his collection are old enough to have come from 3.5 inch floppies, he’s always looking for more and would be happy to cooperate with vendors on the WhiteScope project.

“I didn’t work with vendors on this… in fact, it’s vendor inaction that inspired the creation of this database. With that said, I’d love to work with vendors to make the database more complete,” he said.

Image from Flickr photos of Curtis Perry.

Suggested articles