After first denying their existence, a Siemens spokesman acknowledged on Thursday that his company was aware of a series of security vulnerabilities in its software that could allow remote attackers to take control of industrial control systems.
Siemens issued a statement in response to complaints by security researcher Billy Rios that it was trying to cover up reported software holes in its Simatic WinCC HMI (human machine interface) software. The company said it was aware of “vulnerabilities in some of its automation products” and was working on fixing the issues. Siemens said patches for the holes will be issued in January.
The company was responding to published reports about what appeared to be an effort to deny the existence of a series of vulnerabilities reported by Rios and fellow researcher Terry McCorkle earlier in 2011. Writing on his personal blog, Rios – a security researcher for Google – said that Alex Machowetz, head of media relations at Siemens gave misleading information to a reporter for Reuters about the security holes.
After some delay, Machowetz and Siemens appeared to argue that the incident was a miscommunication. The company acknowledged that it received word of the holes in various flavors of its WinCC software in May, 2011 and immediately began work on fixes for the holes.
Maschowetz said that his message to Reuters was merely a request for more specific information. In it, Maschowetz said that he communicated that Siemens was not aware of any further issues in addition to the vulnerabilities reported by Rios and McCorke, but did not deny the existence of the vulnerabilites.
Further, Siemens said that it had received further vulnerability reports from the two researchers and is investigating them. It thanked both researchers for their work.
Siemens and other ICS software vendors have struggled to manage greater attention to their products by independent security researchers like Rios, Ralph Langner and Dillon Beresford, and with greater media attention to attacks on critical infrastructure. In May, 2011, the company raised the ire of the security community after it requested that a talk on security holes in its Simatic S7 products be postponed. Beresford eventually demonstrated the vulnerablities at the Black Hat Conference in Las Vegas.
