By Nick Denbow, Industrial Automation Insider, September 2011
Last month the INSIDER (Industrial Automation Insider!) reported how Siemens had survived, and maybe even had a reasonably effective, 2011 Automation Summit, despite the gathering storm around the security vulnerabilities inherent in the S7 design. Within 24 hours of the end of the event, Siemens announced that the S7 300 PLC product family had the same vulnerabilities as the S7-1200, but no patch was offered or issued to sort out the problems with these models, unlike the patch quoted to solve the problems on the 1200 model.
The Black Hat briefing
From July 30 – August 4 the Black Hat 2011 US briefings took place in Las Vegas. Started by Jeff Moss, now a US Homeland Security Advisory Council Member, but a hacker for over 20 years, these briefings are a series of highly technical information security presentations and discussions that bring together thought leaders from all facets of the infosec world – from the corporate and government sectors to academic and even underground researchers. Eric Byres (cto at Byres Security) attended Dillon Beresford’s presentation, and reports that the vulnerabilities he described (as an independent, not Government funded researcher) of the S7 were far worse than ever Byres had imagined, including a hard coded user name and password that Siemens engineers had unnecessarily left on the PLC: Byres comments that such basic security errors should have never been allowed through the Siemens Development Review and Quality Assurance processes, necessary disciplines for any responsible automation company…..(see the Byres blog for 4 August).
US Government agency connivance
What then becomes obvious was that Siemens, and probably the ICS-CERT organization (a part of US-CERT, the US Computer Emergency Readiness Team) at INL, Idaho National Labs, had been aware of these vulnerabilities for some time, maybe even up to a year, but had no answer prepared, no fix available, and had not advised the customers – Siemens did not modify the architecture in their Security Concept guidance document to even make it feasible for users to block http and telnet commands from getting to the vulnerable PLC. This does appear to ring alarm bells signalling arrogance or irresponsibility, on the part of Siemens, and has called into question the effectiveness of ICS-CERT, the industrial control systems cyber emergency response team, who take US government money and are mandated to share and co-ordinate vulnerability information and threat analysis.
Their answer to this would appear to be that “Unless extenuating circumstances arise (e.g. active exploitation, threats of an especially serious nature, or danger to public health and safety), co-ordinated vulnerabilities are not publicly announced until patches/mitigations are available.” So what happens when Siemens produces no patch, and sits on the problem?
Time for the customers to demand answers
Quoting the conclusions in the Byres blog for 4 August: “It’s time for customers to demand better security”. He expands: “Now it is time for customers to demand better via purchasing specifications. Customers need to insist that companies have their development processes certified by ISASecure. They need to see clear evidence of an SDL (Security Development Lifecycle) process in place and they need to see in writing exactly what notification process vendors will provide when they discover a vulnerability.”
● The consequences for Siemens will only be publicly evident after some time. There are a few recent anecdotes from Siemens Solution Partners and sales people about their market image that predate these August revelations, in Jim Pinto’s weblog. One of these gives news that the “controls” specified for the GlobalFoundries $4.6Bn Fab 8 semiconductor manufacturing facility being built in Saratoga County, New York, will not follow the design of their German plant, but use ControlLogix from Rockwell Automation: maybe the contractor just had a “buy-American” policy? Even in Jim Pinto’s weblog, the suggestion is that one answer for Siemens might be a new start, with total rebranding, maybe using the Invensys Operations Management logo!
There was no comment from Siemens!