When Stuxnet first became public, I was impressed that Siemens immediately issued a release with explanations. We all know that the company must have many talented engineers who surely had been working on the problem. I was immediately taken to task by Dale Peterson in his blog for being too soft on Siemens. He believes that suppliers should provide a 100% fool-proof secured system–or so I took his comments to mean.
Well the public releases dried up. Then Siemens started to parse more information out. Here is a release from last week (I’m catching up on thoughts following two straight weeks on the road and getting a magazine out).
From a press release entitled “Update on S7 Vulnerabilities (Status June 13, 2011)”, Siemens stated, “Despite recent news reports, Siemens latest software vulnerabilities are not caused by malware (like Stuxnet), but by a weakness in communication functions of its Programmable Logic Controller (PLC) product, called S7-1200. The vulnerability was discovered by an NSS Labs researcher and resulted in an ICS-CERT security advisory.
“On Friday, June 10, Siemens released a firmware update of its S7-1200 PLC that eliminates vulnerabilities and improves the security and robustness of its S7-1200 product family. To download the firmware and to obtain more detailed information, please visit: www.siemens.com/networkbehavior-S7-1200.
“At this point, Siemens is not aware of any customers affected by the identified weak points found in its S7-1200 PLCs. The company would like to emphasize that it is fully committed to maintaining the highest quality products with the most stringent security standards. Siemens experts have been working closely with ICS-CERT and various user communities to continuously improve the Siemens industrial controller products. Siemens continues to recommend to all its customers that they implement the appropriate security measures (e.g. firewall, secure switches and gateways) in their facilities that are typically separate from the actual PLCs. Find more info at www.siemens.com/industrialsecurity.
A”s a further precaution, Siemens controllers, including the S7-300/400 families, are being tested against the discovered vulnerability scenarios. Today, Siemens can already exclude any vulnerability of the S7-300/400 against the “denial of service” scenario. Ongoing and extensive tests of further security scenarios are currently underway in our R&D labs. Depending on the results of those tests, the company will react accordingly. If any customers have concerns that an unauthorized person has been able to record an online communication between the engineering PC and the PLC, the company recommends an immediate change to the PLC password.”
As fate would have it, I had lunch with noted security expert Eric Byres at the Honeywell User Group on June 14. He had just written a series of blogs here, here and here in which he took Siemens lawyers and public relations counsel to task for not being forthright enough in that statement.
Cyber Security Discussed at Siemens Summit
After that, Siemens announced that it would feature a forum and discussion on cybersecurity at its Automation Summit. And none other than Byres himself is one of the featured speakers. The list includes “a host of Siemens technical and product specialists,” as well as Eric Byres, Byres Security; Mark Chambers, Astec Inc.; John deKrafft, AE Solutions; Joel Langill, SCADAhacker; Howard Page, McAfee, Inc.; Tyler Williams, Wurldtech Security Technologies; and Todd Stauffer and John Cusimano, exida Consulting, LLC.
This was enough to prompt Peterson to ask why Byres would deal with Siemens. Byres responds here.
There is no doubt that automation vendors need to step up and provide more security within their devices. On the other hand, it’s fair to ask how many customers have demanded it. Further, there are other vulnerabilities that are outside the purview of the supplier–policies, enforcement, network vulnerabilities, and more.
So, it’s fair to ask why the Siemens corporate spokespeople aren’t more forthcoming. But it’s also fair to ask why customers aren’t holding it–and all other systems suppliers–more accountable.