Researcher Rebukes Siemens Over SCADA Exploits

Monday, May 23, 2011



Security expert Dillon Beresford of NSS Labs has issued some harsh criticism regarding the manner in which Siemens is handling the revelation of widespread vulnerabilities related to the company's programmable logic controllers (PLCs).

Last week Beresford cancelled a scheduled presentation at the Takedown Conference about Supervisory Control and Data Acquisition (SCADA) exploit proof-of-concept after consulting with representatives from Siemens and the Department of Homeland Security.

The session, titled Chain Reactions: Hacking SCADA, was intended to outline critical SCADA vulnerabilities that Beresford had identified, but was subsequently canceled over security concerns related to the information in Beresford's presentation.

"I spent the entire night before my presentation working with folks from ICS-CERT - it lasted until 3:00 AM.  I was awake until 6:00AM trying to understand the full impact behind what I discovered and what the best course of action is. Many people don't see that side of independent security research and responsible disclosure. It was rough," Beresford said.

SCADA systems provide operations control for critical infrastructure and production networks including manufacturing facilities, refineries, hydroelectric and nuclear power plants, and the information in Beresford's presentation would have exposed previously undisclosed threats.

"I am fully aware of the potential risk to ICS and the individuals operating these devices. The vulnerabilities are far reaching and affect every industrialized nation across the globe. This is a very serious issue. As an independent security researcher and professional security analyst, my obligation is not to Siemens but to their consumers. Siemens is a multi-billion dollar corporation with plenty of resources at their disposal. I am but one man who wants to make a difference," says Beresford.

Though Beresford has been more than cooperative with Siemens regarding the non-disclosure of the exploits, he is critical of how the company is attempting to downplay the significance of the vulnerabilities in the press.

"Siemens has said some things to the press that I am not entirely comfortable with... I would to address it right here in the open, with all of you, because damage control and impact minimization a typical tactic used by vendors to protect their public image," Beresford explains.

Beresford cites misleading statements made by Siemens' officials as quoted in an article by IDG's Robert McMillan:

"While NSS Labs has demonstrated a high level of professional integrity by providing Siemens access to its data, these vulnerabilities were discovered while working under special laboratory conditions with unlimited access to protocols and controllers."

Beresford counters Siemens' assertions, stating that the exploits were not of a sophisticated nature, saying "the flaws are not difficult for a typical hacker to exploit because I put the code into a series of Metasploit auxiliary modules, the same ones supplied to ICS-CERT and Siemens."

He also shows disdain for the how Siemens attempts to characterize the level of resources at his disposal and for trying to give the impression that Beresford was utilizing an elaborate array of research equipment in developing the exploits:

"Also there were no 'special laboratory conditions' with 'unlimited access to the protocols'. My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory. I purchased the controllers with money my company so graciously provided me with."

Beresford goes on to rebuke Siemens for a failure to show tact in the company's approach to handling the disclosures after the fact:

"Remember, I look for vulnerabilities in products and exploit them every day at work. In fact, in a few hours I will be doing the same thing on other products. The bad guys are looking too! They aren't playing by the same standard of ethics or rules I am. You [Siemens] had better be thankful I found the problems first and if you think your [sic] expressing your appreciation, think again, look at the statement that was made by your public relations team."

Beresford closed his statements with a final challenge to Siemens on matters of accountability, stating that "the clock is ticking and time is of the essence. I expect more from a company worth $80 billion and so do your customers."

Possibly Related Articles:
SCADA Vulnerabilities Exploits Headlines Network Security Siemens Programmable Logic Controllers Dillon Beresford
Post Rating I Like this!
Michael Thibodeaux Imagine if you were a large company getting your pants ripped off. How would you react to NSS Labs. Actaully, I was offered a job with Siemens about a year ago to deal with the SCADA issue and I turned it down because my wife did not agree with the travel requirements. It would have been a wild bumpy and exciting ride to try to be open to all the criticism.
Chris Blask @Michael - I've been on exactly both sides of that equation, so I don't have to imagine. There are better ways to handle it than Siemens did. (

You are right in that they really had no clue what to do, which is the honest explanation (*not* excuse) for their behavior. I cut them some slack for that (more than Cisco, who should know better), but it is a Newbie mistake and you only get one pass on it.

They need to grow up and grow up fast, the second time it isn't naivety, it's incompetence.
Michael Thibodeaux Chris, I understand what you are saying. It is hard to understand how such a firm would not at least state that "there are problems with our products...,but we are working hard on correcting this issue". Instead they have found a new market to try to sell services. I interviewed with Mr. Woronka and his US counterpart, Mr. Lehman, for a position in Siemens that was being set up to sell IT Security consulting services.

Tom Coats There is always a problem when Lawyers and MBA's are the decision makers.
You aren't getting through to the engineers who could make a difference, and I might strongly suspect that they don't work for Siemens anymore. The Siemens response is classic management legaleeze. And You are absolutely correct that they don't understand the risk and they are not going to do anything about the weaknesses. Strictly speaking they probably expect to be well out of this before the Midden hit`s the fan.

Cruel but true If you want to make a difference offer to sell your code to someone who will cause Siemens pain, either by regulating them or by exploiting the code. There may be someone at Siemens who would understand you but the lawyers will do anything to make sure that your message doesn't get to them because it will mean expensive modifications to what they thought was a cash cow. By ignoring your offer Siemens is being criminally negligent, but that is par for the course especially for them.
Chris Blask I had lunch today with the QA Lead from the old PIX team (Majid Alasvandian) and we talked about just this. When we got nailed with a PIX vulnerability back then (ten years ago) we stood up and took ownership. The same team (a PIXen by any other name...) this year in the same situation tried to bluff their way around it.

Lawyers be damned, it is good business to display diligence and bad business to try to BS your way out of your responsibility. Siemens in my opinion has a lot to learn about that, and it looks like they are going to learn it the hard way.


Snaggle Puss Snagglepuss says hi to Chris.
We did the great easter egg hunt a while back.
Chris Blask Hi Snag!

That sounds very familiar. Think I have some stale chocolate still around somewhere... ;~)
Snaggle Puss Chris, I'm still trying to get the chocolate out of my fur.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.