George Gary Mintchell of Automation World/Feed Forward Blog and I have had a difference of opinion on the Automation Press in a few areas including the kid gloves treatment of Siemens regarding Stuxnet. He has a blog on this titled “Cybersecurity Responsibility“, where he goes back to the “defense in depth” and “due diligence” mantras.

In his blog he does characterize my criticism of Siemens incorrectly. I don’t blame Siemens for having a vulnerability that was exploited. I criticize Siemens for not providing their customers with information on how to determine if their process is at risk and not having or announcing any intention to fix the underlying problem in their PLC.

My comment submitted to Feed Forward is below:

As Stephan Beirer of GAI NetConsult noted on an event in Germany,

“Georg Trummer, Simatic Head of Development and Security of Siemens A&D gave a rather unexciting overview of the Siemens post Stuxnet activities. Several attendees groaned when he argued, that the Stuxnet related security issues are all located at the PC level and that there are no problems with the PLCs”

Siemens has done nothing and has announced no plans to do anything to deal with the root cause of Stuxnet, the lack of any source or data authentication in their PLC. Their customers are vulnerable to any modified versions of Stuxnet that are not so kind to only attack a specific process thought to be in Iran. If the attack code can ping the PLC it can do its damage, and the Stuxnet authors have done most of the hard work making it much simpler to create a son of Stuxnet.

Admittedly the other PLC and RTU vendors have the same issue, but they don’t have successful attack code in the wild.

I do continue to be amazed that the automation press has accepted Siemens story without analysis. And this is without looking back at their lack of telling customers on how to determine if their process would be affected until after Ralph Langner told the world.

If you think I’m being too hard on Siemens, ask your favorite ICS Security Expert if Siemens or any other ICS vendor has fixed the root problem.