Technology Sectors

Market Sectors

Siemens working on vulnerability that threatens critical infrastructure

Fri, 2011-05-20 11:50 AM
By: John P. Mello, Jr.

Dillon Beresford

After two researchers agreed to keep under wraps vulnerabilities they discovered in hardware critical to the operation of many industrial infrastructure systems, the maker of that hardware, Siemens, announced it's working on a fix for the flaw.

“Siemens has been made aware of the irregularities in its Programmable Logic Controllers discovered by NSS Labs, and we appreciate the responsible disclosure provided by the company and its high level of professional integrity," the company headquartered in Berlin, Germany, said in a statement provided on May 20 to Government Security News.

"Siemens is working together with both NSS Labs and ICS-CERT, and we are in the process of testing patches and developing mitigation strategies," it continued.  "Siemens and ICS-CERT have validated that direct access to the product within an automation network is required for these irregularities to take place within the PLC." 

"We encourage end users to use internal measures to protect their own automation security and offer guidance through our industrial security services and security management services," it added. "We are in constant contact with our customers as to updates regarding this issue.”

Programmable Logic Controllers are a key component in Supervisory Control and Data Acquisition (SCADA) systems which are used to monitor and control industrial, infrastructure and facility-based processes — such things as fabrication, waste water treatment, oil and gas pipeline control, and electric power generation and transmission.

The vulnerability in the Siemens hardware came to light after two NSS Labs researchers, Dillon Beresford and Brian Meixell, canceled a presentation on the flaw scheduled for May 18 at TrackDownCon in Dallas, TX.

In a blurb about their presentation, the researchers promised to "demonstrate how motivated attackers could penetrate even the most heavily fortified facilities in the world, without the backing of a nation state."

The researchers backed out of their TrackDownCon forum after consulting with ICS-CERT, which is part of the U.S. Department of Homeland Security (DHS). "We went to them," NSS CEO Rick Moy explained. "It was a very collaborative process."

"When people say DHS, folks get this image of guys in black suits showing up," he added. "That wasn't the situation."

Tags:
 
  • Share/Save
  • Email this page
  • Printer-friendly version
 

Recent Webinars

Powerful Cyber Intelligence: Deep Analytics and Big IT Data
Thu, 04/26/2012 - 2:00pm - 3:00pm

Extracting real-time intelligence from Big Data with deep analytics is valuable but dif

Upcoming Events

Event Details Dates of Event
SANS Security West 2012 May 10 - 18
SANS Toronto 2012 May 14 - 19
SANS Secure Indonesia 2012 May 14 - 19
Emergency Management Seminar May 15 - 15
Counter Terror Expo US May 16 - 17
Emergency Management Seminars May 17 - 17
SANS at iTWeb Security Summit 2012 May 17 - 18
New Fire & Emergency Communications Codes Educational Seminar May 18 - 18
Managing Your Physical Security Program: Collaborate and Manage Smarter May 21 - 24
SANS Brisbane 2012 May 21 - 26
CEIC 2012 (Computer and Enterprise Investigations Conference) May 21 - 24
NERC CIP Compliance Training May 24 - 24
NESCO Town Hall: Security Risk Management Practices for Electric Utilities May 30 - 31
Advanced Hands-On CAMEO Training Jun 4 - 6
Security Program Design: A Critical Infrastructure Protection Model Jun 4 - 5
Facility Security Design Jun 4 - 6
SANS Rocky Mountain 2012 Jun 4 - 9
F5 Government Technology Symposium Jun 6 - 6
SEL Modern Solutions Power Systems Conference Jun 6 - 8
Second Annual Citizen Engagement Seminar Jun 12 - 12
ASIS Assets Protection Course: Functional Management (APC III) Jun 18 - 21
SANS Malaysia 2012 Jun 18 - 23
Data Center Brainstorm 2012 Jun 19 - 19
SANS Forensics and Incident Response Summit 2012 Jun 21 - 27
Vanguard Security & Compliance 2012 Jun 25 - 28
SANS Canberra 2012 Jul 2 - 10
SANSFIRE 2012 Jul 7 - 15
Executive Protection Jul 9 - 10
Military Vehicles Exhibition & Conference Jul 10 - 13
NERC CIP Compliance Training Jul 12 - 12
Security Force Management Jul 16 - 17
Physical and Logical Security: Advanced Applications and Economics Jul 16 - 19
Investigative Interviewing Methods Jul 18 - 19
SANS Thailand 2012 Jul 23 - Aug 4
SANS San Francisco 2012 Jul 30 - Aug 6
College & University Police & Investigators Conference Jul 31 - Aug 3

Full 2012 Calendar