Siemens is a marketing genius (evil genius?).
At Black Hat, the mistreated researcher actually thanks Siemens, praises Siemens and lets “Siemens” speak about how much they care about security. I hear rumbling through the crowd that isn’t it great that Siemens is here and taking this approach. People are impressed – only they fail to notice that the rep clearly states he is not speaking for Siemens. He is only a employee in their CERT talking about how he personally feels.
Siemens history dealing with Dillon on the vulnerabilities was sketchy at best. It begins with not taking the initial vulns seriously and then pleading into early in the morning for a Takedown presentation to be cancelled. After that they usually failed to give him credit for the findings (“Siemens identified”); they repeatedly denied his findings until he could prove them; Siemens’ customer bulletins and other communication have been extremely misleading and sparse about the vulnerabilities and their impact; and they didn’t even have the courtesy to provide him with the supposed patches for him to verify.
My expectation before arriving at BH is Dillon’s presentation would be primarily on the technical detail, but would include some information on Siemens false denials, their not knowing what Metasploit is, absence of a SDL and the lack of fixes for the identified vulnerabilities. It would lead to hard questions and the IT security press pushing for answers from Siemens on what they were going to do to fix the problems and improve their security development. They were going to look foolish, and customers were finally going to hear about it.
This was all blunted by Siemens employee Thomas Brandstetter, who took it upon himself to want to do the right thing in working with a researcher and admit the seriousness of the findings. His words and dancing monkey t-shirts did the trick. Knowing Thomas a little bit, I believe he was just doing what he thought was right and probably at risk to his job.
It was brilliant.
Even at the press conference, Dillon had good words regarding Siemens. Thomas was encouraged to say something, but the reporters were savvy enough to pick up on his “I don’t speak for Siemens”. But again it was enough for Dillon to say good words about Siemens. His words were followed by industry experts who stressed this is a PLC/RTU problem, not a Siemens problem.
Serious marketing problem averted. Status quo maintained.