Siemens' 'damage control' response to SCADA bug frustrates researcher

The flaws are not difficult for a typical hacker to exploit

Siemens said it intends to fix a vulnerability discovered in its industrial control system products, but the NSS Labs researcher who found the bug says the company seems to be downplaying the seriousness of the problem to save face.

"The vulnerabilities are far reaching and affect every industrialized nation across the globe. This is a very serious issue," writes Dillon Beresford in his posting Monday on the online forum SCADASEC, where there's been discussion of last week's disclosure by Siemens that it intends to fix a vulnerability identified on May 9th by NSS Labs, and confirmed by the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS CERT).

BACKGROUND: Siemens says it will fix SCADA bugs

NSS Labs, which has shared its findings directly with Siemens, voluntarily canceled what was to have been a public talk at a conference on the issue last week after Siemens was unable to complete the fixes for its programmable logic controller (PLC) in time.

Beresford expressed frustration that Siemens appeared to imply the flaws in its SCADA systems gear might be difficult for a typical hacker to exploit because the vulnerabilities unearthed by NSS Labs "were discovered while working under special laboratory conditions with unlimited access to protocols and controllers."

There were no "'special laboratory conditions' with 'unlimited access to the protocols,'" Beresford wrote Monday about how he managed to find flaws in Siemens PLC gear that would allow an attacker to compromise them. "My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory." Beresford said he purchased the Siemens controllers with funding from his company and found the vulnerabilities, which he says hackers with bad intentions could do as well.

"The flaws are not difficult for a typical hacker to exploit because I put the code into a series of Metasploit auxiliary modules, the same one supplied to ICS-CERT and Siemens," Beresford wrote in his online remarks. NSS labs had planned to demonstrate how this works last week but Siemens did not succeed in completing a defense against the attack based on the vulnerability.

"Furthermore, the proposed 'security feature' that Siemens recommended was bypassed within 45 minutes of speaking with Siemens security engineers over the phone," Beresford continued. "ICS-CERT and SCADASEC were immediately notified after I confirmed. I knew the feature was flawed from the moment they proposed the solution and explained it to me, because I broke much more than the PLCs."

Beresford faulted what he said would seem to be "damage control and impact minimization" by Siemens around the issue. "The clock is ticking and time is of the essence. I expect more from a company worth $80 billion and so do your customers ... In short, it's very discouraging to a researcher when a vendor tries to minimize the impact of a critical issue for the purpose of saving face in the public. It sends the wrong message to people who are trying to do the right thing."

Several participants on the SCADSEC list thanked Beresford for his work.

One went on to say, "I expect better from Siemens," noting, "Their controllers are used in many, many places that you'd never expect, ranging from elevator controls to high energy chemical processes. This is not about Siemens. This is about the places where Siemens equipment are used. It's sort of like a foundry making a defective batch of bolts that causes airliners to fall out of the sky. The foundry and its profits will pale in comparison to what is destroyed if they don't do their job right."

Industrial control systems have come under increased scrutiny in the year since the Stuxnet worm was discovered. Stuxnet, thought to have been built to disrupt Iran's nuclear program, was the first piece of malware built with industrial systems in mind, and it targeted a Siemens system.

IDG News Service contributed to this report.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags siemensNSS LabssecuritySCADA bugICSanti-malware

More about CERT AustraliaIDGLANSECSiemens

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts