PLC Security

Siemens is a marketing genius (evil genius?).

At Black Hat, the mistreated researcher actually thanks Siemens, praises Siemens and lets “Siemens” speak about how much they care about security. I hear rumbling through the crowd that isn’t it great that Siemens is here and taking this approach. People are impressed – only they fail to notice that the rep clearly states he is not speaking for Siemens. He is only a employee in their CERT talking about how he personally feels.

Siemens history dealing with Dillon on the vulnerabilities was sketchy at best. It begins with not taking the initial vulns seriously and then pleading into early in the morning for a Takedown presentation to be cancelled. After that they usually failed to give him credit for the findings (“Siemens identified”); they repeatedly denied his findings until he could prove them; Siemens’ customer bulletins and other communication have been extremely misleading and sparse about the vulnerabilities and their impact; and they didn’t even have the courtesy to provide him with the supposed patches for him to verify.

My expectation before arriving at BH is Dillon’s presentation would be primarily on the technical detail, but would include some information on Siemens false denials, their not knowing what Metasploit is, absence of a SDL and the lack of fixes for the identified vulnerabilities. It would lead to hard questions and the IT security press pushing for answers from Siemens on what they were going to do to fix the problems and improve their security development. They were going to look foolish, and customers were finally going to hear about it.

This was all blunted by Siemens employee Thomas Brandstetter, who took it upon himself to want to do the right thing in working with a researcher and admit the seriousness of the findings. His words and dancing monkey t-shirts did the trick. Knowing Thomas a little bit, I believe he was just doing what he thought was right and probably at risk to his job.

It was brilliant.

Even at the press conference, Dillon had good words regarding Siemens. Thomas was encouraged to say something, but the reporters were savvy enough to pick up on his “I don’t speak for Siemens”. But again it was enough for Dillon to say good words about Siemens. His words were followed by industry experts who stressed this is a PLC/RTU problem, not a Siemens problem.

Serious marketing problem averted. Status quo maintained.

Of course now that the BH is over there has been no evidence that Siemens has changed, and why should they. Even Thomas has changed his tune a bit saying, “there is no backdoor in the PLCs, but rather a command-line and web server that developers installed for testing and debugging purposes.”

Siemens has been able to weather Stuxnet and these embarrassing shows of the lack of security. Their customers primary source of information, Siemens, is preaching proactive holistic security. The secondary source of information, the automation press, is with few exceptions singing along with Siemens. And Siemens competitors have been quiet because they don’t want the spotlight turned on them.

So the ICS security community continues down the 10+ year path of realizing PLC’s can be easily and completely compromised. Perhaps the only impact from BH will be to encourage other BH attendees to spend a bit of money to acquire and hack PLC’s for fame.

Postscript: Siemens Made A Marketing Blunder

Siemens may just have a lot of marketing $ muscle and Inspector Clouseu brilliance rather than a true marketing genius in the Brandstetter maneuver. Siemens and DHS actually made a big blunder in talking Dillon into postponing his Takedown presentation. It hugely raised the visibility and sizzle of the BH talk.

Nothing changed in the Siemens security between Takedown and BH. Actually there were more vulns discovered in the interim, including the backdoor and dancing monkeys.  Ah, but who really are the dancing monkeys?

Image by Dyanna