Researcher blasts Siemens for downplaying SCADA bug
Threats 'affect every industrialized nation'
Agentless Backup is Not a Myth
A security researcher who voluntarily canceled a talk about critical holes in Siemens' industrial control systems has criticized the German company for downplaying the severity of his findings.
“The vulnerabilities are far reaching and affect every industrialized nation across the globe,” Dillon Beresford wrote in an email posted to a public security list. “This is a very serious issue. As an independent security researcher and professional security analyst, my obligation is not to Siemens but to their consumers.”
Beresford took issue with comments that an article published by IDG News attributed to Siemens representatives, including the claim that the bugs “were discovered while working under special laboratory conditions with unlimited access to protocols and controllers.”
Siemens also suggested that the vulnerabilities “might be difficult for the typical hacker to exploit.”
In his email, Beresford disputed those claims.
“There were no 'special laboratory conditions' with 'unlimited access to the protocols,'” he wrote. “My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory. He said he acquired the Siemens PLC, or programmable logic controller, with no trouble, using money supplied by his employer, NSS Labs.
So-called supervisory control and data acquisition systems control industrial equipment at oil refineries, manufacturing plants and waste treatment facilities. The security of SCADA became a major focus after the discovery of Stuxnet, a worm that some security experts was designed to sabotage Iran's nuclear program.
More from IDG News is here. ®
COMMENTS
How would you propose to operate a SCADA system without a network?
(The transfer of magic electrons not withstanding).
Seriously, the concept of SCADA is to provide operator interface to and collect data from a networked control system. I'm not aware of a network that isn't accessible via "sneakernet" regardless of the OS platform(s) on the network.
The root cause here is the long term belief in the systems integration industry that control systems were so specialized that no one would ever make the effort to specifically target it. As such even the simplest of security restrictions were ignored for most of the industry's history. I work in this industry and any "focus" on security is about 5-10 years behind the curve.
Siemens may be unfairly catching the brunt of the publicity (they are by no means the only OEM with security issues), but their special conditions argument is marketing BS.
r u sure?
stuxnet etc can propagate quite happily without an active outside network connection. Sneakernet?
A much bigger problem is windows-obsessed PHBs.
Rigging the rules
Was not Siemens, a decade or so ago, accused of strong-arming the framing of EU specifications for data transmission protocols in industrial control systems? This was said to have put several of their competitors, whose systems consequently became 'non-compliant', at something of a disadvantage.
The trade magazine 'Control and Instrumentation', as I recall, covered this issue in some depth. Do any other readers remember more detail?
IT infrastructure monitoring strategies
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
Data control in the cloud
Cloud based data management
Agentless Backup is Not a Myth
