Yesterday Dillon Beresford announced and ICS-CERT confirmed that the Siemens’ S7-200, S7-300 and S7-400 families of PLC’s suffered from the same replay vulnerability as the S7-1200. Siemens had not announced this even though they have had the information for over two months now and had an opportunity to discuss the issue directly with customers last week at the Automation Summit.
There are only two bad choices why Siemens failed to disclose this to their customers:
- Incompetence: Siemens top security talent and engineers were unable to figure out that the replay attack on the S7-1200 did in fact work against the other S7 PLC’s. The big boys that are used in more critical systems. Dillon Beresford was able to confirm this in less than a week, in off hours/spare time, once he got his hands on a S7-300.
- Deception: Siemens knew this very early and chose not to tell their customers. Most importantly they chose to deceive their customers last week at the Automation Summit with lies of omission and by making forceful statements that all of the S7-1200 vulnerabilities had been patched.
Unlike Stuxnet where evidence points to incompetence or at best ignorant bliss, this case was almost surely deception. And it worked for at least a week as Automation Summit attendees where singing the praises of Siemens new commitment to security.
The deception continues in the press release and announcements.
Siemens announced today it has identified a potential security weakness in the programming and configuration client software authentication mechanism employed by its SIMATIC S7 family of programmable controllers, including the S7-200, S7-1200, S7-300 and S7-400.
A more truthful paragraph would have been, “Siemens is now forced to admit that the replay vulnerability a researcher disclosed on the S7-1200 PLC last month affects the S7-200, 300 and 400 PLC’s. The researcher had contended it affected all of the S7 PLC’s, but couldn’t prove it because he did not have access to the more expensive S7 models. Unfortunately he got his hands on a S7-300, quickly verified it was also vulnerable, and chose to tell the world. We are now forced to admit our deception.”
At the Automation Summit Siemens proudly announced that the new security patch addressed all the vulnerabilities in the S7 1200. This can hardly be taken on faith now. And if they in fact developed the security patch for that model, why is it not available for the other models now? Siemens has also made claims on the limitation of the replay attack that Dillon has rejected in a recent podcast. It is much more than a replay attack. At this point, Dillon’s characterization of the vulnerability has a lot more credibility.
I have received some strongly worded emails asking why I’ve been so tough on Siemens and less so on other vendors. The reason is deception. Deception in not providing customers with the information they have that will help customers make risk management decisions. Deception in not telling customers where the problems are in Siemens’ security program, and the steps they are taking to correct it.
Siemens customers are now left to wait for the next bomb to drop at Black Hat. Siemens knows the vulnerabilities that will be announced there, but chose to remain silent on this as well at the Automation Summit. The approach is still happy talk until someone discloses bad news and then follow with a powerful marketing campaign to a compliant Automation Press.
Perhaps it is time to add a new term to the ICS security lexicon: Proactive Holistic. This was the Siemens mantra at the Automation Summit. A Proactive Holistic approach is to provide quality marketing information on security without actually addressing the underlying processes that would lead to security or providing accurate information to customers to make risk management decisions.
Of course the Automation Press has their own Proactive Holistic response to the news. They publish Siemens’ press release, but chose to ignore the deception. This despite the fact that security stories are amongst the most popular and prevalent in the magazines. This despite the fact that they themselves were mislead at the user conference and wrote glowingly about Siemens new commitment to security post-Stuxnet.