Siemens flaw would require sophistication to exploit

A security flaw found in Siemens networking equipment used in power plants and other critical systems could only be fully exploited in a highly sophisticated attack, experts say.

While the vulnerability remains serious, being able to gain control of critical systems would also require compromising a computer that workers use to access the industrial systems. The two-step process adds to the complexity of a successful attack.

The U.S. Department of Homeland Security (DHS) issued a warning Tuesday that a vulnerability existed in the RuggedCom Operating System (ROS), often found in Ethernet switches and serial-to-Ethernet converters. RuggedCom is a Canadian subsidiary of Siemens.

Justin W. Clarke, a researcher for security startup Cylance, found the flaw that exposes the hard-coded RSA SSL private keys in the OS. With this technology, hackers could decrypt traffic flowing between the ROS device and other equipment communicating through Internet protocols.

The DHS has asked RuggedCom to "confirm the vulnerability and identify mitigations." Siemens and RuggedCom were investigating the discovery, but had no comment on a fix, as of Thursday. "We are investigating this issue and we will provide information updates as soon as they become available," a spokeswoman said.

The vulnerability alone would let an attacker eavesdrop on network traffic without a way to actually break into an industrial control system. "It's hard to do something like intercept all traffic," Marcus Carey, a security researcher at Rapid7, said. "That's easier said than done." Carey, a former serviceman, protected military networks as a member of the U.S. Navy Cryptologic Security Group.

Clarke also said that exploiting the vulnerability alone wouldn't be enough. "This vulnerability does not directly allow for an authentication bypass," he told CSO Online by email.

[See also: Private sector fights on despite cybersecurity bill's failure]

The benefit of being able to monitor network traffic would be fully reaped if an attacker were able to compromise the computer of someone on the network. At that point, a cybercriminal could mount what's called a "man-in-the-middle" attack, which means he could dictate everything the person using the compromised system sees.

As a result, the attacker could ber able to reconfigure control systems while the operator on the other end saw everything as normal.

"When everything is burning down, he's not receiving the accurate information," Carey said.

In doing some investigating on his own, Carey found less than 20 systems with the RuggedCom signature on the public Internet, an indication that most of the vulnerable equipment is on closed networks. "Those 20 devices could be in interesting locations, but there's a minimal number of devices that are Internet facing," he said.

Without knowing the network architecture of a power plant using a RuggedCom system, it's difficult to say how open the plant is to attack, Clarke said. In general, the best protection for critical systems is many layers of defense.

"As a best-practice, security of control systems and computer networks should be a matter of defense-in-depth, and thus there should be compensating controls or additional layers of security to block or alert, if exploitation of a vulnerability is attempted by an attacker," he said. "[RuggedCom's flaw] is serious in that at least one of the layers of defense-in-depth has been broken."

Clarke has found a flaw in the RuggedCom Operating System before. In April, the researcher disclosed finding a vulnerability that provided backdoor access to devices. The company fixed the problem with firmware updates in May and June.

Experts have warned for years that the nation's critical infrastructure, such as power plants, water supplies and transportation systems, are in need of better security against terrorist attacks. The DHS is working with private industry and lawmakers on regulations that would bolster the nation's cyber-defenses.

Read more about network security in CSOonline's Network Security section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts