Researcher Talk Pulled, When Will Siemens Talk?

SCADA Security Vulnerability

Yesterday Dillon Beresford cancelled his talk and demonstration titled Chain Reaction: Hacking SCADA at the Takedown event after a discussion with DHS and Siemens. Wired has an article with the details which includes the Beresford quotes “Based on my own understanding of the seriousness behind this, I decided to refrain from disclosing any information due to safety concerns for the consumers that are affected by the vulnerabilities,” Beresford told Threat Level, adding that “DHS in no way tried to censor the presentation.”

It is a bit disconcerting and hard to believe that Beresford didn’t understand the seriousness of his discoveries at any time prior to the event, and disappointing to those that planned to attend the talk. Did he not understand what control systems do? Taking his comments in good faith, let’s believe the discussions led to an epiphany, and we are not going to wade into the disclosure issue.

What the ICS SCADA security community really needs more than another vuln presentation is to stop accepting Siemens self-censorship. Beginning with Weisscon last September, Siemens has regularly given talks at SCADA security events and refused to talk about Stuxnet. They talk about their security program or NERC CIP efforts and ignore the elephant in the room. Why didn’t you inform customers about what Stuxnet did and how to determine if you were affected? When are you going to fix the huge, gaping vulnerabilities in the PLC’s?

Ralph Langner had a telling comment in a past Digital Bond blog post on how Siemens views Stuxnet from their new CEO:

All this is only topped by the vendor. Their new “CEO industrial automation systems” (Ralf-Michael Franke) told the German press just yesterday at the Hannover Industrial Fair that Stuxnet was a PIECE OF FORTUNE, since it acted as a wakeup call for asset owners. Franke goes on to tell: “All vulnerabilities exploited by Stuxnet have been identified and removed.” Franke could certainly assume that German journalists were technically unable to understand that he wasn’t telling fact. The truth is, the ability to execute arbitrary code by infecting Step7 project folders (see http://www.microsoft.com/technet/security/advisory/2269637.mspx) is still there, along with the default database password, the potential for SQL injection, the potential hijacking of the driver DLL, and all the stuff that was exploited on the controller level that I detailed in my article in Control Magazine. By the way, the same Franke told the press recently that Siemens is presently not developing successor products for the S7 300 and 400 series BECAUSE TECHNICALLY, THEY’RE TOP NOTCH.

Even when the WinCC group of Siemens does something positive they are eerily quiet. Last month McAfee announced that there white listing product has been jointly tested with Siemens and is compatible with WinCC. This is significant additional protection for the PC part of the system, yet it appears that only McAfee is promoting it.

Stuxnet was supposedly a wake up call, but not really. Until PLC vendors are forced to address the question — what are you doing to prevent anyone who can ping a controller from modifying the process in a Stuxnet-like attack? — only the attackers have been awaken.

We are hoping and actively looking for some good news. If any PLC, RTU, PAC, field device vendor has a plan to address please let us know.

4 comments to Researcher Talk Pulled, When Will Siemens Talk?

  • J

    What else stood out for me was this quote from the Wired article:

    “They just said it was far-reaching and more serious than anything they’ve ever dealt with,” Beresford said.

    This raises more questions surrounding ICS-CERT’s abilities (or at least ability to accurately communicate). Have they not dealt with Stuxnet? Are the presentation’s findings considered to be more advanced than Stuxnet? Does ICS-CERT lack the capability to comprehend and properly evaluate threats and vulnerabilities?

  • Let’s face it. We all knew that this was going to happen. Someone was going to take a serious look at a major piece of SCADA software and find major holes. I sympathize with ICS-CERT and feel sad for Siemens, but until someone publicises a serious vulnerability that can hurt stuff, the user community will continue to treat their systems as secure.

  • So, let’s see: Siemens had an opportunity to discover that their back-door password to WinCC had been compromised as far back as 2008. Stuxnet was developed in 2009 and discovered in 2010. Here we are Three YEARS later and have they done anything about this monstrous hole?

    There are two concerns going on here: First, the article didn’t say if ICS-CERT had issued a date when they would consider publication of this data to be tolerable. Second, as an end-user, I would like to know if Siemens has a quiet method to notify end-users in a manner similar to what has been done in the past by others.

    If such policies and/or notifications do not exist, then this whole effort at requesting silence is a waste of time. Mind you, as an end-user I WANT this back-channel method to work. But unless Siemens and ICS-CERT is committing to doing this right, then there is no public good to be served by Beresford’s silence.

  • amino world

    re: Jake’s comments, what he said! …excellent, get-to-the-point post, and well said.

Leave a Reply