Siemens AG said on Tuesday that it was talking to its customers about what it acknowledged were “security gaps” in its Programmable Logic Controllers (PLCs), after an NSS Labs researcher disclosed the discovery of what he described as serious security holes in the company’s industrial control systems.
After weeks of silence on the issue, Siemens said that it is talking with its customers on a regular basis and plans to have software patches available within the “next few weeks.” The company’s statement comes amid published reports that the U.S. Government has warned Siemens customers about the security vulnerabilities, discovered by Dillon Beresford of NSS Labs.
Siemens confirmed some details of the security holes, which were reported earlier by Threatpost, acknowledging that the vulnerabilities could cause Siemens PLCs to “enter into a secure stop mode.” However, the company suggested that the conditions needed to reproduce the error were unlikely to occur in real life.
“For customers with standard IT security measures in place, there is no risk for workers or the manufacturing process.”
The company said it had developed updates for its PLCs, which are being tested internally and in cooperation with ICS-CERT.
“We anticipate having these updates available for our customers within the next few weeks.”
However, security researchers have expressed skepticism about Siemens statements. In e-mail messages posted to a SCADA security discussion group, Beresford accused the company of soft-pedaling the vulnerabilities and downplaying their seriousness.
Siemens was informed of the holes by Beresford on May 8, but made no public statement about them until a media storm erupted over Beresford’s last minute decision to postpone a May 19 talk on the vulnerabilities. Reuters reports that ICS-CERT, the Computer Emergency Response Team for the Industrial Control Systems sector issued a warning to power companies, water districts and other organizations that use Siemens PLCs.
Bruce Schneier, the chief security technology officer at BT, said that the company’s handling of the issue was a throwback to an earlier era, when most information about software security holes was kept under wraps by vendors and independent security researchers.
While not responding to those allegations, Siemens said that it would be maintaining ongoing communication about the vulnerabilities on its Web site.
