Jim Cahill notes a post on Digital Bond blog where Dale Peterson analyzes Emerson’s Ovation for security. Jim consults his experts (hence, Emerson Process Experts blog title) and provides a balanced look at security.
I had a brief exchange with Peterson a month or two ago where he was ripping magazines a little. In one response, he was critical of us in the media for not ripping suppliers–for instance, we should have been publicly chastising Siemens for permitting Stuxnet. I like Jim’s response in general about the need for defense in depth and the fact that threats change on a daily basis. Certainly in a perfect world suppliers would foresee all possible threats and provide a bulwark agains them. But, it’s not a perfect world. Due diligence is probably the best we can ask.
As Stephan Beirer of GAI NetConsult noted on an event in Germany,
"Georg Trummer, Simatic Head of Development and Security of Siemens A&D gave a rather unexciting overview of the Siemens post Stuxnet activities. Several attendees groaned when he argued, that the Stuxnet related security issues are all located at the PC level and that there are no problems with the PLCs"
Siemens has done nothing and has announced no plans to do anything to deal with the root cause of Stuxnet, the lack of any source or data authentication in their PLC. Their customers are vulnerable to any modified versions of Stuxnet that are not so kind to only attack a specific process thought to be in Iran. If the attack code can ping the PLC it can do its damage, and the Stuxnet authors have done most of the hard work making it much simpler to create a son of Stuxnet.
Admittedly the other PLC and RTU vendors have the same issue, but they don't have successful attack code in the wild.
I do continue to be amazed that the automation press has accepted Siemens story without analysis. And this is without looking back at their lack of telling customers on how to determine if their process would be affected until after Ralph Langner told the world.
If you think I'm being too hard on Siemens, ask your favorite ICS Security Expert if Siemens or any other ICS vendor has fixed the root problem.
You can see Stephan's full report at http://www.digitalbond.com/index.php/2011/01/25/special-european-report-vdedke-electric-sector-ics-security-event-report/
Hi Gary, Thanks for highlighting the post. This is a difficult subject to openly discuss by any automation supplier. It would be kind of like discussing security issues with your home out on your blog… not a good idea.
I do know that the detailed, investigative reports on this worm have been valuable. I can't speak to all the things being done by us or speculate on any other automation supplier, but as I mentioned in the post, Stuxnet has ushered in a new era for everyone.
The things mentioned in the post about a security-minded culture, defense in depth, patch/antivirus/etc. management remain paramount and I suspect the focus by suppliers and process manufacturers will continue to increase over time.
Thanks for your comments. Dare I hope for a Siemens response? This is an important topic. There's always plenty of blame to throw around. I think many people are working on solutions. I'm scoping out specific topics to address within three feature articles for our May issue. I have a ton of ideas. But any other ideas for articles are welcome.
It's just that Automation World does not have the resources for deep analysis of software. Not sure anyone does in our space–there's no equivalent of PC Mag's Labs. But I'd love to see more.
When I first started running stories on industrial cyber security around 2005, it seemed the threats were likely to come from disaffected employees, curious teen hackers, or so-called cyber terrorists. But Stuxnet being an attack (seemingly) carried out with the approval of the US government takes this to a whole new level. And perhaps inhibits its discussion?
Bob, you probably have something. Siemens was initially very open and helpful, then it became suddenly very quiet. Then The Wall Street Journal and The New York Times picked up the story. There have been several recent stories that are sometimes mutually contradictory and not helpful.
I think the political issue cannot be overlooked. I also think that we still don't know the extent of what happened. There is still speculation about the effect of the code. We will probably never get a solid report of facts from Iran. And if indeed Israel and the United States governments were behind it, then our grandchildren may learn about it later.
At any rate, the prevailing theories about defense in depth take on more significance. It's "user beware" out there.