THE RESEARCHER who discovered flaws that he claims are serious enough to allow hackers to take over industrial systems has blasted Siemens for its evasive treatment of the issue.
Dillon Beresford is a researcher at NSS Labs who first discovered vulnerabilities in Siemens' programmable logic controller (PLC) devices used to control, monitor and automate systems such oil and gas pipeline valves, power plant systems, cooling systems and traffic lights.
NSS Labs regarded these vulnerabilities as particularly serious, saying, "Unlike classic computer crime and exploitation, where data is remotely stolen or manipulated, attacks on industrial control systems can have devastating physical world implications such as loss of life and environmental impact."
In a posting on a mailing list used by security professionals involved in working with these systems, Beresford aimed a volley at Siemens for attempting to downplay the seriousness of the issue by saying the hacks were difficult to exploit.
Beresford said, "The flaws are not difficult for a typical hacker to exploit because I put the code into a series of Metasploit auxiliary modules, the same ones supplied to ICS-CERT and Siemens."
He also claimed that he performed the exploits in his apartment, after buying the controllers he hacked using cash that NSS Labs gave him.
He added, "Remember, I look for vulnerabilities in products and exploit them every day at work. In fact, in a few hours I will be doing the same thing on other products. The bad guys are looking too! They aren't playing by the same standard of ethics or rules I am."
"The clock is ticking and time is of the essence. I expect more from a company worth $80 billion and so do your customers."
A Siemens spokesperson said, "Siemens is in direct contact with its customers on a regular basis with regards to security gaps identified in its products. Independent research uncovered that the Siemens PLCs (Programmable Logic Controllers) entered into a secure stop mode when the gap was tested without any IT security measures."
"In this environment, the PLC would have stopped a manufacturing process in a controlled manner. For customers with standard IT security measures in place, there is no risk for workers or the manufacturing process. Siemens has already developed updates for its PLCs, which are being tested internally and in joint cooperation with ICS-CERT. We anticipate having these updates available for our customers within the next few weeks."
But according to Beresford, "The proposed 'security feature' that Siemens recommended was bypassed within 45 minutes of speaking with Siemens security engineers over the phone. ICS-CERT and Siemens were immediately notified after I confirmed. I knew the feature was flawed from the moment they proposed the solution and explained it to me, because I broke much more than the PLCs."
It's also thought that 'secure stop' could lock valves in open or closed positions, prevent pumps or other machinery from being started or stopped, and cause other unforeseeable consequences. µ