Editor’s Note: Eric Byres, chief technology officer at Byres Security, is keeping an eye on vulnerabilities on the Siemens S7 PLC product. The following is an excerpt from the second installment of his blog.
By Eric Byres
The contradictory information circulated regarding the Siemens S7 PLC vulnerabilities discovered by Dillon Beresford at NSS Labs in May continues to hit the industry.
By studying the various Siemens and NSS notices, we were able to scrape out a few facts, but at this point the talk is all conjecture. The real question is what does this mean for the SCADA and ICS industry as a whole?
Let’s start with what the ICS/SCADA Industry can learn. This has been a PR disaster for Siemens – they have come out of it looking like they are trivializing a serious situation. In addition, they appear to be playing word games when informing customers what products are affected.
From the ICS/SCADA industries point of view, Beresford is the ideal security researcher. He shared his vulnerabilities with ICS-CERT and Siemens prior to going public. He does not release exploit code. He voluntarily pulled his presentation at the TakeDownCon conference in May once he learned of the possible consequences to critical. It is clear Beresford and his partners want to do the right thing to make sure our lights stay on and our water continues to flow.
Siemens (and the ICS and SCADA vendor community as a whole) needs to develop ways to educate, cooperate with and reward responsible security researchers. And these rewards don’t need to be cash — what most responsible researchers want is cooperation, recognition and respect — these shouldn’t be too hard to supply.
Now for the good news. Siemen’s PR mis-steps are eclipsing a lot of the good work that they are doing. From information I have received, Siemens has been dumping incredible resources into fixing these vulnerabilities properly. They virtually stopped all regular PLC development and released a security advisory and patches for the S7-1200. Considering how much validation and QA work is needed before even the simplest PLC modification is made, this is very fast and indicates a serious commitment to do the right thing.
Despite all the mis-steps, good things are happening for ICS/SCADA security. Dillon has woken up the industry to the need for a responsible disclosure policy that all the players agree to. He also has shown the world that security researchers want to act ethically and are reasonable to deal with (remember that Dillon pulled the presentation on his own accord). And the Siemens’ engineering and development teams seem to be taking this seriously and have produced some of the patches in record time.
In the next installment, I will look at what it means for the ICS/SCADA professional trying to protect his or her control system in a critical industrial plant.