SCADA Holes Allowed Remote Takedown of Siemens Systems

Security researcher Dillon Beresford decided not to present a talk at the TakedownCon in Dallas on Thursday, citing concerns about mayhem that could have resulted. But in an e-mail, he told Threatpost that the vulnerabilities could allow remote attackers to start or stop Siemens Programmable Logic Controllers (PLCs) and harvest information from the devices.

Siemens vulnerabilitySecurity researcher Dillon Beresford decided not to present a talk at the TakedownCon in Dallas on Thursday, citing concerns about mayhem that could have resulted. But in an e-mail, he told Threatpost that the vulnerabilities could allow remote attackers to start or stop Siemens Programmable Logic Controllers (PLCs) and harvest information from the devices.

Beresford, who works for security testing firm NSS Labs, told Threatpost that he found “multiple vulnerabilities in the Simatic S7 PLC controllers” and had developed proof of concept code to take advantage of the holes using the Metasploit Framework, a free penetration testing tool. The holes in question could allow remote attackers to “put the PLC CPU into STOP mode,” “put the PLC CPU into RUN mode” as well as dump the memory and scrape device information from the PLC, including the model, firmware version, serial number and PLC name.

Beresford said he had already submitted the exploits to Metasploit, and notified both the U.S. Computer Emergency Response Team (CERT) and Siemens of the holes on May 8. A Siemens spokeswoman on Thursday said she was unaware of the vulnerabilities or the suspended TakeDownCon controversy. However, a company spokesman told Wired.com that Siemens is aware of the vulnerabilities in its PLCs and appreciates the disclosure by NSS Labs.

Speaking to Wired.com, Beresford said that the U.S. Department of Homeland Security had expressed concern about publicizing the holes, but that the decision to pull the talk was his own.

“Based on my own understanding of the seriousness behind this, I decided to refrain from disclosing any information due to safety concerns for the consumers that are affected by the vulnerabilities,” Beresford told Threat Level, adding that “DHS in no way tried to censor the presentation,” he told Wired.

In a blog post on Wednesday, NSS Labs chief Rick Moy acknowledged that Beresford had discovered “significant, additional vulnerabilities in industrial control systems” and responsibly disclosed those to the affected parties. “Due to the serious physical, financial impact these issues could have on a worldwide basis, further details will be made available at the appropriate time,” he wrote.

The Siemens Simatic is a line of programmable logic controllers that are used to provide programmatic access to a wide range of physical devices, including industries such as water distribution and treatment, electricity generation, manufacturing and so on. Simatic PLCs were one of the targets of the Stuxnet worm, which was used to disable Iran’s uranium enrichment facilities at Nantaz.

Beresford has been researching the Siemens vulnerabilities since March and finished his work in early May. In recent months, he has published information about holes in other SCADA products at use both here and abroad. In January, he disclosed a critical hole in a SCADA application, KingView, from the Beijing based firm Wellintech. He has also publicized his research on vulnerabilities in Chinese government systems, which he say are woefully underprotected.

Suggested articles