SCADA Security Vulnerability

Yesterday Dillon Beresford cancelled his talk and demonstration titled Chain Reaction: Hacking SCADA at the Takedown event after a discussion with DHS and Siemens. Wired has an article with the details which includes the Beresford quotes “Based on my own understanding of the seriousness behind this, I decided to refrain from disclosing any information due to safety concerns for the consumers that are affected by the vulnerabilities,” Beresford told Threat Level, adding that “DHS in no way tried to censor the presentation.”

It is a bit disconcerting and hard to believe that Beresford didn’t understand the seriousness of his discoveries at any time prior to the event, and disappointing to those that planned to attend the talk. Did he not understand what control systems do? Taking his comments in good faith, let’s believe the discussions led to an epiphany, and we are not going to wade into the disclosure issue.

What the ICS SCADA security community really needs more than another vuln presentation is to stop accepting Siemens self-censorship. Beginning with Weisscon last September, Siemens has regularly given talks at SCADA security events and refused to talk about Stuxnet. They talk about their security program or NERC CIP efforts and ignore the elephant in the room. Why didn’t you inform customers about what Stuxnet did and how to determine if you were affected? When are you going to fix the huge, gaping vulnerabilities in the PLC’s?

Ralph Langner had a telling comment in a past Digital Bond blog post on how Siemens views Stuxnet from their new CEO:

All this is only topped by the vendor. Their new “CEO industrial automation systems” (Ralf-Michael Franke) told the German press just yesterday at the Hannover Industrial Fair that Stuxnet was a PIECE OF FORTUNE, since it acted as a wakeup call for asset owners. Franke goes on to tell: “All vulnerabilities exploited by Stuxnet have been identified and removed.” Franke could certainly assume that German journalists were technically unable to understand that he wasn’t telling fact. The truth is, the ability to execute arbitrary code by infecting Step7 project folders (see http://www.microsoft.com/technet/security/advisory/2269637.mspx) is still there, along with the default database password, the potential for SQL injection, the potential hijacking of the driver DLL, and all the stuff that was exploited on the controller level that I detailed in my article in Control Magazine. By the way, the same Franke told the press recently that Siemens is presently not developing successor products for the S7 300 and 400 series BECAUSE TECHNICALLY, THEY’RE TOP NOTCH.

Even when the WinCC group of Siemens does something positive they are eerily quiet. Last month McAfee announced that there white listing product has been jointly tested with Siemens and is compatible with WinCC. This is significant additional protection for the PC part of the system, yet it appears that only McAfee is promoting it.

Stuxnet was supposedly a wake up call, but not really. Until PLC vendors are forced to address the question — what are you doing to prevent anyone who can ping a controller from modifying the process in a Stuxnet-like attack? — only the attackers have been awaken.

We are hoping and actively looking for some good news. If any PLC, RTU, PAC, field device vendor has a plan to address please let us know.