It is a while since we discussed Stuxnet although we have been updating our last contribution from time to time with links to other blogs and developments as we became aware of them on our blog, “Stuxnet – not from a bored schoolboy prankster!” We have now listed all these on a separate page which we endevour to keep bang up-to-date!.
We heard of this first through a tweet from Gary Mintchell, of AutomationWorld, in mid July 2010 but as we record in our blog Security threat to control system world we first started to recognise its significence with an email received from Eric Byres of Byres Security (Tofino) and which we reproduced. The title was chosen by us more because it was a nice headline rather than that it indicated that something significant had occurred. Byres, to his credit, did understand that but even he, at that time probably did not understand completely what the implications were. Others, including Semantec, whose Liam Ó Murchú described his reaction, “Everything in it just made your hair stand up and go, this is something we need to look into.”
Last week in Las Vegas some more pennies dropped, not so much as to what the implications were but just how unprepared and indeed unaware of the implications of inactivity were particularly on the part of vendors.
Last June Siemens held their North American Automation Summit or User Group meeting. As we mentioned in our blog, Missing the Security boat, they had a focus on security at this event which was not surprising given the discovery of Stuxnet and Siemens vulnarability in the previous twelve months. They secured expert speakers in Eric Byres and Joe Langil and in their subsequent joint comments they sounded up-beat: “At the concluding 90 minute round table discussion on cyber security, most of the end users present agreed that prior to the Summit, they did not completely understand cyber security. By the end of the conference they unanimously agreed that there is risk to their facilities and that something needs to be done. This was a major accomplishment!” (Siemens Cyber Security Report Card – Part 2 of 2)
“In our opinion, the conference showed how Siemens has taken many of the lessons learned during the past 12 months and converted them into a roadmap that will help their users secure their environment in the future…..What Siemens is planning to do is in the right direction, and shows their commitment to their users and the businesses they support. Short of a complete, global replacement of all legacy equipment (which we all know is impossible), security has to be addressed one step at a time. We are pleased that the steps Siemens are taking appear to be in the right direction.”
However the virtual ink was scarcely dry on that report and the participants had hardly returned home when Siemens somewaht spoiled all the good work with what Industrial Automation Insider called a “hiccup that dented the good impression left by the event - for the security specialists at least -” Less than 24 hours after the event had concluded, “there was an announcement that the vulnerabilities previously described and fixed with a patch on the Siemens S7 – 1200 did indeed also affect the S7 300/ 400 product families. A potential security weakness in the programming and configuration client software authentication mechanism used by the Siemens Simatic S7 family of programmable controllers, including the S7-200, S7-300, S7-400, and the S7-1200, was advised by Siemens, as reported on the Greg Hale ISS Source website. With this released less than 24 hours after the end of the Siemens conference, the question arose as to how open and straightforward Siemens had been with the rest of the presentations, and why the audience had not been advised of the developing problem with Simatic S7.” Byres tweeted, “S7-300 and S7-400 Password Security vulnerabilities are finally admitted: http://t.co/bMmIAiZ Why not at #automationsummit? Too Bad!”
Black Hat Briefings are a series of briefings on what has become known as the “Infosec” sector. A hackers conference! There was a meeting in Las Vegas in early August and there, security researcher Dillon Beresford, spoke on Exploiting Siemens Simantic S7 PLCs. During this presentation he covered newly discovered Siemens Simatic S7-1200 PLC vulnerabilities. He demonstrated how an attacker could impersonate the Siemens Step 7 PLC communication protocol using some PROFINET-FU over ISO-TSAP and take control.
This further undermined confidence in Siemens attitude to this crisis. Beresford’s findings were tweeted by Byres and then he tweeted this on the 5th of August: “I have changed my mind – Siemens’ commitment to their customers’ security is abominable” He then provided a link to his blog “Siemens PLC Security Vulnerabilities – It Just Gets Worse”. He describes attending Beresford’s sessions and demonstrations and he says “the vulnerabilities were far worse than I ever imagined…” He professes himself to be “embarrassed I gave them such high marks in my previous blogs!”
Siemens are in the firing line here and deservedly so but the question must be put. What about the other major (and minor) vendors? Are they up to speed”
Byres concludes his blog: “As Dillon clearly showed this week, vendors doing nothing and then hoping no one will find their product issues is no longer an option. You can count on ICS and SCADA vulnerabilities been publically exposed.
Both vendors and the end-users need to be prepared when it happens, but the vendor needs to lead the charge.” ((His emphasis!)