Siemens said it intends to fix a vulnerability discovered in its industrial control system products, but the NSS Labs researcher who found the bug says the company seems to be downplaying the seriousness of the problem to save face.
"The vulnerabilities are far reaching and affect every industrialised nation across the globe. This is a very serious issue," writes Dillon Beresford in his posting on the online forum SCADASEC, where there's been discussion of last week's disclosure by Siemens that it intends to fix a vulnerability identified by NSS Labs and confirmed by the US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS CERT).
NSS Labs, which has shared its findings directly with Siemens, voluntarily cancelled what was to have been a public talk at a conference on the issue last week, after Siemens was unable to complete the fixes for its programmable logic controller (PLC) in time.
Beresford expressed frustration that Siemens appeared to imply the flaws in its SCADA systems gear might be difficult for a typical hacker to exploit because the vulnerabilities unearthed by NSS Labs "were discovered while working under special laboratory conditions with unlimited access to protocols and controllers."
There were no "'special laboratory conditions' with 'unlimited access to the protocols'," Beresford wrote about how he managed to find flaws in Siemens PLC gear that would allow an attacker to compromise them. "My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory." Beresford said he purchased the Siemens controllers with funding from his company and found the vulnerabilities, which he says hackers with bad intentions could do as well.
"The flaws are not difficult for a typical hacker to exploit, because I put the code into a series of Metasploit auxiliary modules, the same one supplied to ICS-CERT and Siemens," Beresford wrote in his online remarks. NSS labs had planned to demonstrate how this works last week, but Siemens did not succeed in completing a defence against the attack based on the vulnerability.
"Furthermore, the proposed 'security feature' that Siemens recommended was bypassed within 45 minutes of speaking with Siemens security engineers over the phone," Beresford continued. "ICS-CERT and SCADASEC were immediately notified after I confirmed. I knew the feature was flawed from the moment they proposed the solution and explained it to me, because I broke much more than the PLCs."
Beresford faulted what he said would seem to be "damage control and impact minimisation" by Siemens around the issue. "The clock is ticking and time is of the essence. I expect more from a company worth $80 billion and so do your customers... In short, it's very discouraging to a researcher when a vendor tries to minimise the impact of a critical issue for the purpose of saving face in the public. It sends the wrong message to people who are trying to do the right thing."
Several participants on the SCADSEC list thanked Beresford for his work.
One went on to say, "I expect better from Siemens," noting, "Their controllers are used in many, many places that you'd never expect, ranging from elevator controls to high energy chemical processes. This is not about Siemens. This is about the places where Siemens equipment are used. It's sort of like a foundry making a defective batch of bolts that causes airliners to fall out of the sky. The foundry and its profits will pale in comparison to what is destroyed if they don't do their job right."
Industrial control systems have come under increased scrutiny in the year since the Stuxnet worm was discovered. Stuxnet, thought to have been built to disrupt Iran's nuclear programme, was the first piece of malware built with industrial systems in mind, and it targeted a Siemens system.