Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Researcher blasts Siemens for downplaying SCADA threat

Gregg Keizer, Computerworld | May 24, 2011
The security researcher who last week voluntarily canceled a talk on critical vulnerabilities in Siemens' industrial control systems took the German giant to task Monday for downplaying the problem.

"The right thing [for Siemens] to do for customers is to let them know they need to reevaluate how their networks are architected," Moy said. "These issues completely obviate the need for the software, and allow an attacker to directly access the PLCs."

Stuxnet exploited vulnerabilities in Windows to infect computers that ran Siemens SCADA software, giving the attackers access to the software that in turn controlled PLC devices.

"This is a completely different class of vulnerabilities than Stuxnet exploited," said Moy. "It's more serious than Stuxnet."

NSS Labs will not publicly release technical details about the PLC vulnerabilities, nor proof-of-concept exploit code, Moy continued. But the company will do an end-around Siemens and discuss the flaws with SCADA operators that it's confirmed are legitimate.

In the next week or two, NSS Labs will demonstrate the impact of the vulnerabilities to SCADA operators on an invitation-only basis. Moy asked concerned users of Siemens PLC devices to contact the company for more details on the demonstrations NSS Labs plans to host at its Carlsbad, Calif. office.

At the same time, NSS Labs will also outline possible mitigation steps users can take to protect their SCADA systems from attack.

Moy felt that was the right path to take. "The companies who own these devices are up in arms over Siemens' slow response," Moy said.

In the meantime, he had little advice for companies using Siemens PCL devices. "Unplug your stuff," said Moy.

"Actually, it's not as simple as that," he continued. "But waiting for a fix from Siemens is not the best that you can do."

He declined to be more specific about what steps SCADA operators can take.

Moy also expressed frustration that the news last year of Stuxnet's success -- Iranian officials have acknowledged the worm affected its primary uranium enrichment facility -- hasn't prompted SCADA suppliers like Siemens to push harder on the security front.

But he had hopes the latest discoveries would prompt Siemens to act and push SCADA operators to pay more attention to security.

"The bright side to this is that these aren't the only vulnerabilities. There are definitely even bigger issues for industrial control operators," said Moy. "The visibility of these vulnerabilities will hopefully give the industry more momentum toward better security, and force it to address the problems."

Siemens did not reply to a request for comment on Beresford's and Moy's claims that the company was minimizing the threat to SCADA systems and the industrial systems they manage.

 

Previous Page  1  2 

Sign up for MIS Asia eNewsletters.