Black Hat: Industrial systems flaws go way beyond Siemens

LAS VEGAS: The recent disclosure of vulnerabilities in Siemens progammable logic controllers (PLCs) are an indication of a much larger problem in industrial systems, according to experts at the Black Hat conference.

Researcher Dillon Beresford joined a panel of security researchers, administrators and industry experts to speak about his controversial study of remote access flaws in Siemens PLC hardware.

Siemens is in fact one of the better hardware vendors when it comes to securing PLC systems, according to the panel.

Jonathan Pollet, founder and principal consultant at testing firm Red Tiger Security, said that many vendors fail to provide even minimal protection for PLC systems.

"Beresford has opened up a can of worms in the industry that we have known of for a long time," he said.

"I think Siemens is one of the few companies that actually requires using passwords to send commands to the PLC."

The real problem, according to Pollet, is that many industrial appliances are based on decades-old platforms that were never designed to support sophisticated network infrastructures. Many PLCs are by design easy to access and manage.

Tim Roxey, director of risk assessment at the North American Electric Reliability Corporation, told reporters that addressing the issue requires much more than security bulletins and recommendations to administrators.

"It is going to be a long time. The nature of this issue is beyond the electric sector. It is all critical infrastructure and it is not [just] the US. It is around the globe."

The panel’s tone was not entirely negative, however. The experts said that, while infrastructure is vulnerable, the number and variety of PLC systems would make compromising an entire facility or region extremely difficult.

Tom Parker, director of security consulting services at Securicon, said that in extreme cases such as Stuxnet, the attackers had specialised knowledge of the systems they targeted and how they fit into the facility’s overall infrastructure.

"It would be a lot harder than people let on to take out the entire electrical grid. There are certainly a lot of problems, but the broader-scale impact is a little overstated," he said.