More vulnerabilities discovered in Siemens Scada systems

Security experts are warning of a serious vulnerability in Siemens industrial control systems which they reportedly felt was too dangerous to share with an audience at a security conference this week as the flaw had not yet been adequately patched.

Rick Moy, president and chief executive of information security testing and research organisation NSS Labs, confirmed to V3.co.uk that the firm is hoping to hear back from Siemens later on Thursday about how the company plans to deal with the issue.

In a blog post dated 19 May, Moy was understandably vague about the nature of the flaws discovered by NSS Labs researcher Dillon Beresford.

"In the course of his research, significant additional vulnerabilities in industrial control systems have been identified, responsibly disclosed and validated by affected parties," he explained.

"Due to the serious physical and financial impact these issues could have on a worldwide basis, further details will be made available at the appropriate time."

It was reported that Beresford, along with independent security researcher Brian Meixell, decided to cancel a presentation at the TakeDown conference in Dallas on Wednesday after a fix for the flaw proposed by the US ICS-CERT failed to work.

Attacks on Scada systems are particularly dangerous as they can disrupt key processes in water and waste treatment plants, pharmaceuticals factories and even nuclear power plants.

Although attacks on industrial control systems such as Siemens' Scada products have been rare since the Stuxnet worm highlighted the potential physical impact of web-borne malware on such systems, vulnerabilities continue to be discovered at a worryingly frequent rate.

Just last week the US ICS-CERT warned of a publicly available exploit which could allow hackers to take over Scada control systems built by Iconics, while in April research from application security management firm Idappcom found 52 new threats in March targeted at Scada systems.