Skip Links

Siemens' 'damage control' response to SCADA bug frustrates researcher

NSS Labs' researcher calls Siemens PLC vulnerability 'very serious issue'

By , Network World
May 23, 2011 12:24 PM ET

Network World - Siemens said it intends to fix a vulnerability discovered in its industrial control system products, but the NSS Labs researcher who found the bug says the company seems to be downplaying the seriousness of the problem to save face.

"The vulnerabilities are far reaching and affect every industrialized nation across the globe. This is a very serious issue," writes Dillon Beresford in his posting Monday on the online forum SCADASEC, where there's been discussion of last week's disclosure by Siemens that it intends to fix a vulnerability identified on May 9th by NSS Labs, and confirmed by the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS CERT).

BACKGROUND: Siemens says it will fix SCADA bugs

NSS Labs, which has shared its findings directly with Siemens, voluntarily canceled what was to have been a public talk at a conference on the issue last week after Siemens was unable to complete the fixes for its programmable logic controller (PLC) in time.

Beresford expressed frustration that Siemens appeared to imply the flaws in its SCADA systems gear might be difficult for a typical hacker to exploit because the vulnerabilities unearthed by NSS Labs "were discovered while working under special laboratory conditions with unlimited access to protocols and controllers."

There were no "'special laboratory conditions' with 'unlimited access to the protocols,'" Beresford wrote Monday about how he managed to find flaws in Siemens PLC gear that would allow an attacker to compromise them. "My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory." Beresford said he purchased the Siemens controllers with funding from his company and found the vulnerabilities, which he says hackers with bad intentions could do as well.

"The flaws are not difficult for a typical hacker to exploit because I put the code into a series of Metasploit auxiliary modules, the same one supplied to ICS-CERT and Siemens," Beresford wrote in his online remarks. NSS labs had planned to demonstrate how this works last week but Siemens did not succeed in completing a defense against the attack based on the vulnerability.

"Furthermore, the proposed 'security feature' that Siemens recommended was bypassed within 45 minutes of speaking with Siemens security engineers over the phone," Beresford continued. "ICS-CERT and SCADASEC were immediately notified after I confirmed. I knew the feature was flawed from the moment they proposed the solution and explained it to me, because I broke much more than the PLCs."

Beresford faulted what he said would seem to be "damage control and impact minimization" by Siemens around the issue. "The clock is ticking and time is of the essence. I expect more from a company worth $80 billion and so do your customers ... In short, it's very discouraging to a researcher when a vendor tries to minimize the impact of a critical issue for the purpose of saving face in the public. It sends the wrong message to people who are trying to do the right thing."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News