Researcher blasts Siemens for downplaying SCADA threat

Bugs "more serious than Stuxnet," says NSS Labs, whose researchers pulled a talk on exploits

The security researcher who last week voluntarily canceled a talk on critical vulnerabilities in Siemens' industrial control systems took the German giant to task Monday for downplaying the problem.

Dillon Beresford, a researcher with NSS Labs, took exception to Siemens' claim that the vulnerabilities he and colleague Brian Meixell uncovered had been discovered "while working under special laboratory conditions with unlimited access to protocols and controllers."

"There were no 'special laboratory conditions' with 'unlimited access to the protocols.' My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory," said Beresford in a message posted on a public security mailing list. "[And] I purchased the controllers with money my company so graciously provided me with."

While Siemens promised last week that it would patch the bugs, it downplayed the threat to its industrial control systems, and the thousands of companies that rely on Siemens' PLC (programmable logic control) systems, argued Beresford.

"It's very discouraging...when a vendor tries to minimize the impact of a critical issue for the purpose of saving face in the public," Beresford said in a follow-up message on the SCADASEC mailing list. "It sends out the wrong message to people who are trying to do the right thing."

Industrial control systems like Siemens' monitor and manage everything from oil drilling rig equipment and power plant operations to skyscraper elevators and high-speed trains in Japan.

Dubbed SCADA for "supervisory control and data acquisition," the systems and their security have been under intense scrutiny since the Stuxnet worm was discovered almost a year ago. Stuxnet, a worm that some experts have called "groundbreaking," is believed to have been built to sabotage Iran's nuclear program, particularly the gas centrifuges the country uses to enrich uranium.

Stuxnet was the first in-the-wild worm that attacked SCADA systems.

Rick Moy, the CEO of NSS Labs, and Beresford's boss, backed up his researcher in an interview Monday.

"Siemens chose to use language that's vague and misleading," said Moy of Siemens' statement last week where it implied that the flaws would be very difficult to exploit. "They tried to downplay the impact to their customers. That's what was concerning to us."

Beresford and Meixell pulled their presentation on their own accord after consulting with Siemens and the U.S. Department of Homeland Security (DHS), who expressed concerns about potential use of the information by hackers.

But Moy said Siemens' customers deserve to know more.

"The right thing [for Siemens] to do for customers is to let them know they need to reevaluate how their networks are architected," Moy said. "These issues completely obviate the need for the software, and allow an attacker to directly access the PLCs."

Stuxnet exploited vulnerabilities in Windows to infect computers that ran Siemens SCADA software, giving the attackers access to the software that in turn controlled PLC devices.

"This is a completely different class of vulnerabilities than Stuxnet exploited," said Moy. "It's more serious than Stuxnet."

NSS Labs will not publicly release technical details about the PLC vulnerabilities, nor proof-of-concept exploit code, Moy continued. But the company will do an end-around Siemens and discuss the flaws with SCADA operators that it's confirmed are legitimate.

In the next week or two, NSS Labs will demonstrate the impact of the vulnerabilities to SCADA operators on an invitation-only basis. Moy asked concerned users of Siemens PLC devices to contact the company for more details on the demonstrations NSS Labs plans to host at its Carlsbad, Calif. office.

At the same time, NSS Labs will also outline possible mitigation steps users can take to protect their SCADA systems from attack.

Moy felt that was the right path to take. "The companies who own these devices are up in arms over Siemens' slow response," Moy said.

In the meantime, he had little advice for companies using Siemens PCL devices. "Unplug your stuff," said Moy.

"Actually, it's not as simple as that," he continued. "But waiting for a fix from Siemens is not the best that you can do."

He declined to be more specific about what steps SCADA operators can take.

Moy also expressed frustration that the news last year of Stuxnet's success -- Iranian officials have acknowledged the worm affected its primary uranium enrichment facility -- hasn't prompted SCADA suppliers like Siemens to push harder on the security front.

But he had hopes the latest discoveries would prompt Siemens to act and push SCADA operators to pay more attention to security.

"The bright side to this is that these aren't the only vulnerabilities. There are definitely even bigger issues for industrial control operators," said Moy. "The visibility of these vulnerabilities will hopefully give the industry more momentum toward better security, and force it to address the problems."

Siemens did not reply to a request for comment on Beresford's and Moy's claims that the company was minimizing the threat to SCADA systems and the industrial systems they manage.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags NSS Labssiemenssecurity

More about AppleMicrosoftSECSiemensTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place