Siemens' 'damage control' response to SCADA bug frustrates researcher

The flaws are not difficult for a typical hacker to exploit

Siemens said it intends to fix a vulnerability discovered in its industrial control system products, but the NSS Labs researcher who found the bug says the company seems to be downplaying the seriousness of the problem to save face.

"The vulnerabilities are far reaching and affect every industrialized nation across the globe. This is a very serious issue," writes Dillon Beresford in his posting Monday on the online forum SCADASEC, where there's been discussion of last week's disclosure by Siemens that it intends to fix a vulnerability identified on May 9th by NSS Labs, and confirmed by the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS CERT).

BACKGROUND: Siemens says it will fix SCADA bugs

NSS Labs, which has shared its findings directly with Siemens, voluntarily canceled what was to have been a public talk at a conference on the issue last week after Siemens was unable to complete the fixes for its programmable logic controller (PLC) in time.

Beresford expressed frustration that Siemens appeared to imply the flaws in its SCADA systems gear might be difficult for a typical hacker to exploit because the vulnerabilities unearthed by NSS Labs "were discovered while working under special laboratory conditions with unlimited access to protocols and controllers."

There were no "'special laboratory conditions' with 'unlimited access to the protocols,'" Beresford wrote Monday about how he managed to find flaws in Siemens PLC gear that would allow an attacker to compromise them. "My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory." Beresford said he purchased the Siemens controllers with funding from his company and found the vulnerabilities, which he says hackers with bad intentions could do as well.

"The flaws are not difficult for a typical hacker to exploit because I put the code into a series of Metasploit auxiliary modules, the same one supplied to ICS-CERT and Siemens," Beresford wrote in his online remarks. NSS labs had planned to demonstrate how this works last week but Siemens did not succeed in completing a defense against the attack based on the vulnerability.

"Furthermore, the proposed 'security feature' that Siemens recommended was bypassed within 45 minutes of speaking with Siemens security engineers over the phone," Beresford continued. "ICS-CERT and SCADASEC were immediately notified after I confirmed. I knew the feature was flawed from the moment they proposed the solution and explained it to me, because I broke much more than the PLCs."

Beresford faulted what he said would seem to be "damage control and impact minimization" by Siemens around the issue. "The clock is ticking and time is of the essence. I expect more from a company worth $80 billion and so do your customers ... In short, it's very discouraging to a researcher when a vendor tries to minimize the impact of a critical issue for the purpose of saving face in the public. It sends the wrong message to people who are trying to do the right thing."

Several participants on the SCADSEC list thanked Beresford for his work.

One went on to say, "I expect better from Siemens," noting, "Their controllers are used in many, many places that you'd never expect, ranging from elevator controls to high energy chemical processes. This is not about Siemens. This is about the places where Siemens equipment are used. It's sort of like a foundry making a defective batch of bolts that causes airliners to fall out of the sky. The foundry and its profits will pale in comparison to what is destroyed if they don't do their job right."

Industrial control systems have come under increased scrutiny in the year since the Stuxnet worm was discovered. Stuxnet, thought to have been built to disrupt Iran's nuclear program, was the first piece of malware built with industrial systems in mind, and it targeted a Siemens system.

IDG News Service contributed to this report.

Read more about wide area network in Network World's Wide Area Network section.

Tags NSS LabssiemensICSSCADA bugsecurityanti-malware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?