Siemens S7-1200 PLC Security Vulnerabilities, Part 2/3

In my previous blog, I analyzed the contradictory information being circulated regarding the Siemens S7 PLC vulnerabilities that were discovered by Dillon Beresford at NSS Labs in May. By studying the various Siemens and NSS notices, we were able to scrape out a few facts. We also were able to make some likely guesses on what PLC products are actually affected and what the nature of the vulnerabilities are.

In this blog I will discuss what this means for the SCADA and ICS industry as a whole. In the next blog, I will look at what it means for the ICS / SCADA professional trying to protect his or her control system in a critical industrial plant.

What the ICS and SCADA Industry can Learn

Let’s start with what the ICS / SCADA Industry can learn. This has been a PR disaster for Siemens – they have come out of it looking like they are trivializing a serious situation. In addition, they appear to be playing word games when informing customers what products are affected.

Siemens is also taking a serious risk by making negative remarks about Beresford’s discoveries.

From the ICS / SCADA industries point of view, Beresford is the ideal security researcher. He shared his vulnerabilities with both ICS-CERT and Siemens prior to going public. He does not release exploit code.  He voluntarily pulled his presentation at the TakeDownCon conference in May; once he learned of the possible consequences to critical infrastructures (Siemens and DHS did not force him to pull the talk). It is clear that Beresford and his partners want to do the right thing to make sure our lights stay on and our water continues to flow.

Compare Beresford to Luigi Auriemma who published 34 vulnerabilities for four ICS vendor’s products on his public website. Auriemma did not inform anyone in advance – he just published the vulnerability details, complete with exploit code, for anyone to use as they see fit. Read his website or his interview with Dale Peterson and clearly this is all about money, damn the consequences. Doing what might make the world’s infrastructures safer doesn’t enter into the equation for Auriemma.

ICS and SCADA Vendors Need to Work with Responsibile Security Researchers

Siemens is not alone in treating responsible researchers poorly. Several years ago I received veiled threats of legal action from a major PLC vendor when I simply shared vulnerabilities with their PLC team (public disclosure wasn’t even under discussion). By not openly cooperating with Beresford, Siemens sends a very bad message – “if you discover vulnerabilities, trying to be responsible will bring you public criticism – it is better to just sell your vulnerabilities and exploits on the open market”.

So Siemens (and the ICS and SCADA vendor community as a whole) needs to develop ways to educate, cooperate with and reward responsible security researchers. And these rewards don’t need to be cash - what most responsible researchers want is cooperation, recognition and respect – these shouldn’t be too hard to supply.

Now for the good news. Siemen’s PR mis-steps are eclipsing a lot of the good work that they are doing. From information I have received, Siemens has been dumping incredible resources into fixing these vulnerabilities properly. They virtually stopped all regular PLC development and released a security advisory and patches for the S7-1200 today. Considering how much validation and QA work is needed before even the simplest PLC modification is made, this is very fast and indicates a serious commitment to do the right thing.

Despite all the mis-steps, good things are happening for ICS/SCADA security. Dillon has woken up the industry to the need for a responsible disclosure policy that all the players agree to. He also has shown the world that security researchers want to act ethically and are reasonable to deal with (remember that Dillon pulled the presentation on his own accord). And the Siemens’ engineering and development teams seem to be taking this seriously and have produced some of the patches in record time.

Let’s learn from all this and move SCADA security forward. We need to before the bad guys start turning out the lights.

Related Links

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Comments

1

Eric,
Good post. We certainly appreciate your perspective. IT's 'responsible disclosure' discussion also begs for a similar one about vendors' 'responsible response' vis-a-vis researchers and their customers. I think there are a number of people in the community interested in moving ICS security forward. Hopefully, the recent research and events will provide enough momentum.

We'll keep any updates on this page:
http://www.nsslabs.com/research/scada-ics-security/

Add new comment