Siemens’ delay in finding a fix for vulnerabilities in its industrial control system products is drawing the ire of the researchers that found the problems.
The company is testing patches for the issues, but Siemens’ proposed fixes are not completely ready, said Rick Moy, chief executive at NSS Labs which is working with Siemens and the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response (ICS CERT) on addressing the issues.
Siemens is not sure yet when they will have a patch for the vulnerabilities. “Our team continues to work diligently on this issue — also together with both NSS Labs and ICS CERT. We are in the process of testing patches and developing mitigation strategies,” Siemens said in a statement.
Industrial control systems have been under the microscope since the discovery of the Stuxnet worm. Stuxnet was malware built to harm or destroy an industrial system. Reports have the worm built to disrupt Iran’s nuclear program. This time the attackers targeted the worm toward a Siemens system.
Since the discovery, security researchers tested all kinds of industrial control systems and they have found plenty of issues.
Creating and distributing a patch is a very difficult process, but in the industrial control world, installing a patch is even harder as these systems focus on delivering operations 24 hours a day, seven days a week. The thought of unplanned downtime means productivity and profitability reduces for a manufacturer.
Details on the Siemens bugs are sketchy, but Moy described them as serious enough to allow hackers to control a Siemens PLC.
Siemens officials downplayed the issue, saying the flaws might be difficult for the typical hacker to exploit.
“While NSS Labs has demonstrated a high level of professional integrity by providing Siemens access to its data, these vulnerabilities were discovered while working under special laboratory conditions with unlimited access to protocols and controllers,” Siemens said.
Dillon Beresford, one of the researchers at NSS Labs that found the vulnerabilities, disagrees with Siemens.
“The flaws are not difficult for a typical hacker to exploit because I put the code into a series of Metasploit auxiliary modules, the same ones supplied to ICS-CERT and Siemens,” he said on the SCADASEC email list. “Furthermore, the proposed ‘security feature’ that Siemens recommended was bypassed within 45 minutes of speaking with Siemens security engineers over the phone. ICS-CERT and Siemens were immediately notified after I confirmed. I knew the feature was flawed from the moment they proposed the solution and explained it to me, because I broke much more than the PLCs.”
Beresford continued in his email to the list: “Also there were no ‘special laboratory conditions’ with ‘unlimited access to the protocols.’ My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory. I purchased the controllers with money my company so graciously provided me with.”
NSS Labs will not publicly release technical details about the PLC vulnerabilities, nor proof-of-concept exploit code, Moy said. But the company will discuss the flaws with legitimate SCADA operators.
In the next week or two, NSS Labs will demonstrate the impact of the vulnerabilities to SCADA operators on an invitation-only basis. Moy asked concerned users of Siemens PLC devices to contact the company for more details on the demonstrations NSS Labs plans to host at its Carlsbad, Calif. office.
At the same time, NSS Labs will also outline possible mitigation steps users can take to protect their SCADA systems from attack.