Security expert Dillon Beresford of NSS Labs has issued some harsh criticism regarding the manner in which Siemens is handling the revelation of widespread vulnerabilities related to the company's programmable logic controllers (PLCs).
Last week Beresford cancelled a scheduled presentation at the Takedown Conference about Supervisory Control and Data Acquisition (SCADA) exploit proof-of-concept after consulting with representatives from Siemens and the Department of Homeland Security.
The session, titled Chain Reactions: Hacking SCADA, was intended to outline critical SCADA vulnerabilities that Beresford had identified, but was subsequently canceled over security concerns related to the information in Beresford's presentation.
"I spent the entire night before my presentation working with folks from ICS-CERT - it lasted until 3:00 AM. I was awake until 6:00AM trying to understand the full impact behind what I discovered and what the best course of action is. Many people don't see that side of independent security research and responsible disclosure. It was rough," Beresford said.
SCADA systems provide operations control for critical infrastructure and production networks including manufacturing facilities, refineries, hydroelectric and nuclear power plants, and the information in Beresford's presentation would have exposed previously undisclosed threats.
"I am fully aware of the potential risk to ICS and the individuals operating these devices. The vulnerabilities are far reaching and affect every industrialized nation across the globe. This is a very serious issue. As an independent security researcher and professional security analyst, my obligation is not to Siemens but to their consumers. Siemens is a multi-billion dollar corporation with plenty of resources at their disposal. I am but one man who wants to make a difference," says Beresford.
Though Beresford has been more than cooperative with Siemens regarding the non-disclosure of the exploits, he is critical of how the company is attempting to downplay the significance of the vulnerabilities in the press.
"Siemens has said some things to the press that I am not entirely comfortable with... I would to address it right here in the open, with all of you, because damage control and impact minimization a typical tactic used by vendors to protect their public image," Beresford explains.
Beresford cites misleading statements made by Siemens' officials as quoted in an article by IDG's Robert McMillan:
"While NSS Labs has demonstrated a high level of professional integrity by providing Siemens access to its data, these vulnerabilities were discovered while working under special laboratory conditions with unlimited access to protocols and controllers."
Beresford counters Siemens' assertions, stating that the exploits were not of a sophisticated nature, saying "the flaws are not difficult for a typical hacker to exploit because I put the code into a series of Metasploit auxiliary modules, the same ones supplied to ICS-CERT and Siemens."
He also shows disdain for the how Siemens attempts to characterize the level of resources at his disposal and for trying to give the impression that Beresford was utilizing an elaborate array of research equipment in developing the exploits:
"Also there were no 'special laboratory conditions' with 'unlimited access to the protocols'. My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory. I purchased the controllers with money my company so graciously provided me with."
Beresford goes on to rebuke Siemens for a failure to show tact in the company's approach to handling the disclosures after the fact:
"Remember, I look for vulnerabilities in products and exploit them every day at work. In fact, in a few hours I will be doing the same thing on other products. The bad guys are looking too! They aren't playing by the same standard of ethics or rules I am. You [Siemens] had better be thankful I found the problems first and if you think your [sic] expressing your appreciation, think again, look at the statement that was made by your public relations team."
Beresford closed his statements with a final challenge to Siemens on matters of accountability, stating that "the clock is ticking and time is of the essence. I expect more from a company worth $80 billion and so do your customers."