Security failings at Siemens could lead to an attack worse than Stuxnet

Security failings in Siemens' industrial control software, and the company's lax response, could lead to a worse attack than Stuxnet, experts have warned.

Researchers at NSS Labs cancelled a presentation last week on vulnerabilities in Siemens' industrial control systems on the ground that the company had not fixed the problem.

NSS Labs researcher Dillon Beresford said that Siemens is whitewashing the problem and leaving serious security flaws open.

"The vulnerabilities are far reaching and affect every industrialised nation across the globe," he said on a security disclosure web site. "This is a very serious issue."

Beresford successfully hacked the Siemens Programmable Logic Controllers (PLC) system using parts bought online for $2,000, provided by NSS Labs.

He worked with Siemens and other researchers to fix the flaw, but was able to break its latest security patch in just 45 minutes.

However, Siemens said that it is working on the issue and expects to have a new patch within a couple of weeks. The company said in a statement to V3.co.uk that it is confident the flaws will not be a problem.

"Independent research uncovered that the Siemens PLC entered into a secure stop mode when the gap was tested without any IT security measures," Siemens said.

"In this environment, the PLC would have stopped a manufacturing process in a controlled manner. For customers with standard IT security measures in place, there is no risk for workers or the manufacturing process."

Siemens said that it is testing the patches with ISC CERT, and is posting updates on the situation online.

But this response did not fit the data, according to Rick Moy, president of NSS Labs. Siemens had discussed a security system to fix the problem, he told V3.co.uk, but there was no mention of a shutdown procedure and the additional software did not even work.

Moy warned that testing in "laboratory conditions" is no defence against real-world attackers, pointing out that tests by the Department of Homeland Security had shown how even a simple shutdown of a few key controls could destroy industrial equipment like turbines or generators

"These vulnerabilities are more broadly applicable than Stuxnet," he said. "Stuxnet used Windows vulnerabilities to attack the PLCs, but these attacks go directly to the PLCs themselves."

The NSS Labs team had given Siemens hundreds of thousands of dollars worth of free research into its security problems, and Siemens is trying to duck the issue, according to Moy. This is sending a bad message to the research industry, he said.

Companies like Microsoft and Adobe had actively engaged with the research community about software flaws, and Google and Mozilla offer cash bounties for vulnerabilities before criminals find them.

But Moy said that Siemens is stuck in a similar mindset to 1970s car firms fighting against seatbelts and airbags.

Security expert Bruce Schneier agreed, pointing out that Siemens' response is all too familiar for people working in the IT security industry. What makes it more worrying is that these flaws could have more dangerous consequences than any email virus.

"Scada systems that control industrial processes are one of the ways a computer hack can directly affect the real world," he said.

"It's not bad guys deleting your files, or getting your personal information and taking out credit cards in your name, it's bad guys spewing chemicals into the atmosphere and dumping raw sewage into waterways.

"It's Stuxnet: centrifuges spinning out of control and destroying themselves. Never mind how realistic the threat is, it's scarier."