When Stuxnet first became public, I was impressed that Siemens immediately issued a release with explanations. We all know that the company must have many talented engineers who surely had been working on the problem. I was immediately taken to task by Dale Peterson in his blog for being too soft on Siemens. He believes that suppliers should provide a 100% fool-proof secured system–or so I took his comments to mean.
Well the public releases dried up. Then Siemens started to parse more information out. Here is a release from last week (I’m catching up on thoughts following two straight weeks on the road and getting a magazine out).
From a press release entitled “Update on S7 Vulnerabilities (Status June 13, 2011)”, Siemens stated, “Despite recent news reports, Siemens latest software vulnerabilities are not caused by malware (like Stuxnet), but by a weakness in communication functions of its Programmable Logic Controller (PLC) product, called S7-1200. The vulnerability was discovered by an NSS Labs researcher and resulted in an ICS-CERT security advisory.
“On Friday, June 10, Siemens released a firmware update of its S7-1200 PLC that eliminates vulnerabilities and improves the security and robustness of its S7-1200 product family. To download the firmware and to obtain more detailed information, please visit: www.siemens.com/networkbehavior-S7-1200.
“At this point, Siemens is not aware of any customers affected by the identified weak points found in its S7-1200 PLCs. The company would like to emphasize that it is fully committed to maintaining the highest quality products with the most stringent security standards. Siemens experts have been working closely with ICS-CERT and various user communities to continuously improve the Siemens industrial controller products. Siemens continues to recommend to all its customers that they implement the appropriate security measures (e.g. firewall, secure switches and gateways) in their facilities that are typically separate from the actual PLCs. Find more info at www.siemens.com/industrialsecurity.
A”s a further precaution, Siemens controllers, including the S7-300/400 families, are being tested against the discovered vulnerability scenarios. Today, Siemens can already exclude any vulnerability of the S7-300/400 against the “denial of service” scenario. Ongoing and extensive tests of further security scenarios are currently underway in our R&D labs. Depending on the results of those tests, the company will react accordingly. If any customers have concerns that an unauthorized person has been able to record an online communication between the engineering PC and the PLC, the company recommends an immediate change to the PLC password.”
As fate would have it, I had lunch with noted security expert Eric Byres at the Honeywell User Group on June 14. He had just written a series of blogs here, here and here in which he took Siemens lawyers and public relations counsel to task for not being forthright enough in that statement.
Cyber Security Discussed at Siemens Summit
After that, Siemens announced that it would feature a forum and discussion on cybersecurity at its Automation Summit. And none other than Byres himself is one of the featured speakers. The list includes “a host of Siemens technical and product specialists,” as well as Eric Byres, Byres Security; Mark Chambers, Astec Inc.; John deKrafft, AE Solutions; Joel Langill, SCADAhacker; Howard Page, McAfee, Inc.; Tyler Williams, Wurldtech Security Technologies; and Todd Stauffer and John Cusimano, exida Consulting, LLC.
This was enough to prompt Peterson to ask why Byres would deal with Siemens. Byres responds here.
There is no doubt that automation vendors need to step up and provide more security within their devices. On the other hand, it’s fair to ask how many customers have demanded it. Further, there are other vulnerabilities that are outside the purview of the supplier–policies, enforcement, network vulnerabilities, and more.
So, it’s fair to ask why the Siemens corporate spokespeople aren’t more forthcoming. But it’s also fair to ask why customers aren’t holding it–and all other systems suppliers–more accountable.
Hi Gary,
From my experience I think It is fair to say that owners and operators are asking questions of their vendors and intergrators (suppliers). I know that from what some folks were able to make happen in this part of the world with the present state of the art in technology the results are something that are going to take some time. There are no quick fixes, however change is slowly happening in our industry culture.
I think that many vendors do get the message in general about the need to improve our security posture of our technologies and our practices proceedures and policies.
So where is the problem?
One problem – Many folks are exhibiting signs of denial in the industry BOTH supplier and customer!
Another problem – despite the issues nobody is jumping for joy at the thought of paying for the sort of effort that needs to be injected in order to improve the overall posture and regulating things isn't by itself working !
Another Problem – More education is needed to teach folk the necessary "security foo"
Another Problem – many places are only getting the message after reality bites them hard.
Give you some solutions?
Part of the solution is collaboration and raising basic awareness and to get the right sort of action from government, the general public, customers and suppliers. We will only see marked success by working together with a sustainable funding model.
I think it is fair to say that we all need to do more with the challanges that are facing our industry with regard to security. The more we talk about it the closer we are to creating the changes needed.
Keep Blogging
Ron Southworth
Hi Ron, Thanks for a reasoned comment. These are some good ideas. It's a complex issue–which just means that you need to develop some checklists of things to follow and people who need to talk to each other. Then it becomes iterative, right? Attack the problem, learn, new ideas, etc.
One person I interviewed recently told me that Stuxnet getting so much mass media publicity was a wake up call for many managers. We can only hope he was right.
By the way, everyone can get involved in what is sure to be a lively discussion by attending the Siemens conference (NOT a paid announcement, by the way). But Automation World will have an editor there to report for those who cannot make it. Sure to be interesting. I'd love to hear the Siemens guys talk with a little less filtration.