Dillon Beresford, the NSS Labs researcher who disclosed serious holes in industrial control system software from Siemens says the company is downplaying the seriousness of the vulnerabilities in its public statements, and that a supposed “fix” for the vulnerabilities is inadequate.
In a message sent to the SCADASec mailing list, Beresford broke his recent silence, contradicting Siemens claims that security holes he discovered in the software used to control Siemens Simatic programmable logic controllers (PLCs) are hard to exploit and that a security feature in Siemens PLCs would prevent a compromise.
Beresford has kept a low profile since deciding not to present a talk at the TakedownCon in Dallas on May 19. At the time, Beresford cited about the damage that could be caused by malicious parties who had knowledge of the holes. Little is known about the nature of the flaws. However, in an e-mail, he told Threatpost thhat the vulnerabilities could allow remote attackers with logical access to the Simatic S7 PLCs to start, stop and harvest information from the devices.
However, Siemens has gone on the media offensive since news of the cancelled talk was picked up by media outlets. In a statement published by IDG News Service, the company said Beresford and NSS discovered the issues “under special laboratory conditions with unlimited access to protocols and controllers.”
No such thing, Beresford wrote to SCADASec, an e-mail list frequented by professionals who work in the critical infrastructure sector and by security researchers. “The flaws are not difficult for a typical hacker to exploit because I put the code into a series of MEtasploit auxiliary modules.” As Threatpost reported on Monday, those modules were submitted to the ICS-CERT and Siemens, as well as to the Metasploit Framework, a free and widely used penetration testing platform. Those Metasploit modules are on hold pending an OK from Beresford, according to Metasploit founder HD Moore. As for Beresford’s special laboratory? The researcher described that as “my personal apartment on the wrong side of town.”
Siemens has not responded to multiple e-mail and phone requests from Threatpost regarding Beresford’s research.
In an email statement, NSS CEO Rick Moy said that Siemens efforts to downplay the seriousness of the issue was “unfortunate.”
“There are real mitigations (sp) that ICS (industrial control system) operators should be considering ahead of any patch. Moy said his firm was not going to release details of the security vulnerabilities that Beresford discovered, but would make them available owners and operators of leading SCADA PLCs.
This isn’t the first time that Siemens has found itself in hot water. The company was pilloried after it told customers not to change a hard-coded password in its WinCC SCADA system, even after evidence that the Stuxnet worm made use of that password to infect systems running WinCC. Security researchers have noted that Siemens isn’t the only SCADA vendor in need of a wake-up call. At the ToorCon Security Conference in October, 2010, researcher Jeremy Brown of Tenable said that many SCADA vendors lag behind other IT firms in doing vulnerability research and lack even a basic awareness of modern IT security principles.