Long Post Warning: If you want a quick read, skip down to the bullets on our suggested ICS guru message.
After covering the technical details of Beresford’s presentation at Black Hat in Part I, let’s look at the politics of the situation and the ICS vendors, owner/operators and ICS security guru’s response.
The best way to look at both Stuxnet and the Beresford vulns is they are the first instances where the insecure by design and poor security posture of PLC’s became widely known outside of the niche ICS security community. In Stuxnet it was the dramatic impact of the attack on the Iranian nuclear program, and the Beresford vulnerabilities showed that neither ICS expertise nor vast resources were required. Both have whetted the appetite of hackers of every hat color to break PLC’s and other ICS components.
The attendees at Dillon’s presentation were taking a lot of photo’s and paying great attention, even during some of the slower parts waiting for things to happen in the demo. I can’t claim to be in sync with the Black Hat audience, but it appeared to me that the reaction was much more “isn’t that cool, I’d like to try to do some of that” rather than “this is a problem we need to fix”. We will have to wait and see what type of research/hacking and results come from this.
ICS Security Guru’s Need To Stop Rationalizing Vulns
Why is it whenever a PLC vulnerability is brought up, the ICS Security Experts asked to comment start off explaining how this is a longstanding known problem in all PLC’s due to the lack of access control? They are not wrong, but the primary message should be this vuln results in a huge security risk, and the vendor needs to provide a secure PLC asap.
Earlier I blogged on Eric Byres and Joel Langill giving Siemens cover at the Siemens user group meeting. Now I have to call out Jonathan Pollet and Tom Parker from the Black Hat press conference. These are all top notch ICS security professionals, and competitors, who would do a great job helping any owner/operator secure their SCADA or DCS. However, they are falling into the rationalization trap that I was in for years.
At the post-Beresford press conference, Jonathan and Tom followed Dillon’s explanation of the Siemens vulns with the usual explanation that this is a well known problem in ICS, protocols lack security, affects all vendors, will be around for a long time due to product life cycle, … none of this is wrong, but it should not be the message we are giving the press. I was watching the press, and it definitely took the enthusiasm out of the room that this was an important story. It was old news.
We should be embarrassed, I know I am, that we have made almost zero progress on PLC security over the last ten years — the lost decade. The fact that is a long-standing, wide-spread, well-known in the community problem is nothing to highlight when we have the world’s attention that might help or force the PLC vendors to finally make progress.
A reporter’s follow up question asked about the real impact of this. Again the ICS security experts tried to calm things down with talks about systems being heterogeneous and difficulty of widespread attacks. Again, not wrong but why focus on downplaying the problem. Why not focus on owner/operators with a S7 PLC need to be very concerned because Dillon’s attacks or slightly modified Stuxnet could take out their plant or SCADA system with huge loss of money, possible loss of life, environmental damage, and other negative affects?
ICS Security Guru’s and others who talk to the press, consider changing the message to:
- This is very serious set of vulnerabilities that puts anyone who has a process that relies on S7 PLC’s at risk. If an attacker can gain access to the PLC, they can affect the process with potentially huge financial loss, destruction of systems, environmental impact and even loss of life.
- Siemens needs to provide clear and honest information to their customers on the vulnerabilities and impact. Not a small job since Dillon has found 15 already, not to mention remaining Stuxnet issues. They need to stop denying problems. Stop misleading and lying to their customers. Stuxnet vulns in the PLC are not fixed. The vulns Dillon identified have not all been patched. Dillon’s work could be leveraged by bad guys to compromise SCADA and DCS that use Siemens’ PLC’s, again with grave results.
- Siemens needs to provide customers with information on how they will fix each vuln, integrate missing security features, and firm dates/versions when these will be available. In parallel, they should be providing customers with compensating controls. Who better than Siemens to provide IDS/IPS signatures for these vulns to their customers?
- Siemens security development lifecycle is hugely flawed. A number of the Beresford vulns are not missing security features, they are the result of very poor software engineering practices. Siemens should tell customers what modifications are being made to the SDL to prevent this in future code.
Full stop. No temporizing the message.