Siemens Cyber Security Report Card (Part 1 of 2) (plus Presentation)

The Siemens Automation Summit was held last week and both Joel Langill and I attended it, presented at it, and engaged in social media commentary regarding it.  This article will summarize our opinion of Siemens’ announcements and posture regarding cyber security as we reflected on the conference.  We assign grades to various aspects of Siemens’ cyber security measures or policies, and we will sum it up with a final grade at the end of Part 2.

Risk Assessments – Does Siemens Know What They Are?

The opening morning Siemens presentation “How to determine the Threats and Risks Industrial Control Systems” by Tyler Williams of Wurldtech and Stefan Woronka, Director, Industrial Security Services, of Siemens, was confusing to say the least.  First, the speakers attacked the concept of risk assessments with statements like “Risk Assessments – each one is done differently – what use is that?

Later the slides talked about a risk analysis program (a service offered by Siemens? – this was far from clear) yet the pictures associated were from a vulnerability analysis report.

Risk assessments and vulnerability analyses are very different animals, and we hope whoever does the consulting knows the difference.

As one of the opening sessions of the conference, this did not leave us feeling positive about Siemens’ new religion about cyber security.  Risk assessments are a foundation piece of a good cyber security posture.

Grade: D

Standards – Does Siemens Care About Them?

The same joint talk described above also included some very pointed attacks on standards groups and the people in the work groups (referred to as “workinggroupitis”)

Quote: “Membership [in standards groups] is about putting another thing on your LinkedIn page”.

While it might be easy to shrug off standards work as “career boosting work”, the reality is that standards help the whole industry adopt better cyber security practices. Standards group participation is thankless, grinding work and volunteers should be encouraged, not ridiculed.

Is this Siemens policy towards standards? I doubt this is their overall corporate policy towards standards, but the standards discussion certainly came across poorly.

Grade: D

Air Gaps – Siemens is Right About This

Stefan Woronka’s statement:

Forget the myth of the air gap – the control system that is completely isolated is history.

was the highlight of the talk, and right on the money, as was discussed extensively in the last Practical SCADA Security blog article.

Later that day, Joel and I presented “How Stuxnet Spreads” which very clearly shows that infections pathways to control networks are many, and do not require network connections.  (Our presentation is available for download at the end of this article, and related links are also provided.)

Siemens has the right mentality about air gaps, thus we give them a high assessment in this area. But they lose a half a grade because their Security Advisories still refer to air gaps as if they are a solution.

Grade: B+

Siemens’ Vulnerability Disclosure Policies and Processes

a.     Timely Disclosure Clearly Not Yet a Priority

A talk by Ken Keiser, Sr. Marketing Manager for Siemens, discussed some of the vulnerabilities and issues the company has faced in the past year.  This included Stuxnet, the S7-1200 PLC vulnerabilities, and the resulting patches available now.

Unfortunately this talk avoided any mention of the WinCC vulnerabilities that were announced the day after the summit closed (and the Friday before a long weekend).  They also did not mention the S7-300 and S7-400 Password Security vulnerabilities that were announced today.

Siemens knew about all these vulnerabilities during the conference.  Their decision not to address them directly with the users there shows that, despite the incredible problems they’ve experienced over the last year, their current vulnerability disclosure policies and processes are still weak1.

b.    New “Security Hubs” Planned

Siemens did acknowledge the need to improve their communication about vulnerabilities with end-users and integrators. To address this, they are creating what they are calling "security hubs" in various regions of the world, including a dedicated "hub" in the United States.

The intent of these "hubs" is to better align security activities between Siemens, CERT organizations, security researchers like Tofino Security and SCADAhacker, and end users.  Details of this new channel will be released in the near future.

Grade:  F for current practices, hoping for C or better when the new “hubs” and new communication policies kick in.

Check in tomorrow for Part 2 of this article, and our final overall grade for Siemens.

1Dale Peterson talks about this extensively in his blog “Siemens Security Tap Dance or Reality”.

This article is a collaboration between Eric Byres and Joel Langill.

http://www.tofinosecurity.com/sites/default/files/JLangill.pnghttp://www.tofinosecurity.com/sites/default/files/SCADAhacker_composite_white.png

Joel Langill
CSO, SCADAhacker.com
joel@scadahacker.com      

Practical SCADA Security thanks Joel for his contribution.

Related Content to Download

NOTE: you need to be a member of tofinosecurity.com and logged in to have access to the paper. Register here to become a member.

This is the presentation that Eric and Joel gave at the Siemens Automation Summit.

PDFHow Stuxnet Spreads - A Look at Infection Paths in Best Practice Systems(7.6 MB)

Related Links

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Comments

3

working in a SCADA Integrator I see the disconnected thoughts on Security almost everyday. I was reading the Sysinternals tools site and found this http://blogs.technet.com/b/markrussinovich/archive/2011/03/30/3416253.aspx
This explains how to analyze a possible infection.
I find Siemens attitude disappointing, but not surprising. I see the "Tap Dance" often when meeting with SCADA Operators, and other SCADA System Suppliers. Upper Management talk in Spin and say "Security and Reliability" are priorities. in practice the further down the food chain the more lost and distorted the view becomes.

Upper Management talk in Spin and say "Security and Reliability" are priorities. in practice the further down the food chain the more lost and distorted the view becomes.

Their decision not to address them directly with the users there shows that, despite the incredible problems they’ve experienced over the last year, their current vulnerability disclosure policies and processes are still weak.

Add new comment