New Siemens Vulnerabilities?

The vulnerability disclosure issue got ugly earlier this week. A security researcher who was scheduled to make a presentation at the Takedown ‘security conference’ (well that’s how Wired.com described it in their article on the situation; to an outsider like me it sounds like a hacker convention) on hacking the Siemens control systems pulled his presentation (“Chain Reactions — Hacking SCADA” )at the last minute. According to the researcher, Dillon Beresford from NSS Labs, he was politely asked to pull the presentation by Siemens and ICS-CERT when Siemens discovered that a patch they had developed for one of the vulnerabilities that he was going to discuss had already been bypassed.

Responsible vs Immediate Disclosure

Beresford has apparently come down on the side of ‘responsible disclosure’, a policy encouraged and facilitated by ICS-CERT. In this type disclosure process the security researchers first report their vulnerability discoveries to vendors or an organization like ICS-CERT who coordinates with the vendor. Only when a method to correct or mitigate the vulnerability is developed is the news of the vulnerability made public. Supporters of this policy note that pre-mature (before there is a defense) disclosure puts system owners at risk without providing them a defense.

Opponents of ‘responsible disclosure’ (I’m talking about security researchers here not malicious hackers) point to numerous horror stories about efforts to make a responsible disclosure where they were ignored or rebuffed by the vendor involved. They also point out that if they could find the vulnerability other, less ethical researchers (malicious hackers) could as well. They would prefer to see system owners notified so that they could take some sort of protective precautions.

Actually, as in most issues, there are a large number of researchers who fall somewhere in the middle on this issue. These people would recommend giving venders a ‘reasonable’ amount of time to come up with a patch or mitigation procedure. If there has been no response by that time most would then come down on the side of immediate disclosure.

There is another side of this that is less frequently discussed, but deserves mention. Security researchers are, for the most part, in the business of system security. They sell their expertise to system owners who turn to them to protect their computer systems. A researcher who has his name attached to a number of vulnerability discoveries has demonstrated his expertise; its like having patents or published articles. Early disclosure provides the researcher with control of who gets credit for the discovery; this may be missing in coordinated disclosure situations.

Siemens Vulnerability

In this particular situation we have an unusual set of circumstances. First the world now knows that there are mulitple vulnerabilities in the Siemens SCADA systems and at least some are related to its PLCs (Programmable Logic Controllers). This is may be the same general type of vulnerability used by the crafters of Stuxnet (and reported on in-depth by Ralph Langner), or it may be an entirely new vulnerability. Which ever, it appears that it would allow an attacker to take control of a PLC and make changes in the physical processes controlled by the subverted PLC.

This is potentially very serious. Just ask your process safety team what could go wrong if one or more of the PLCs in the control system just started to do the wrong thing at the wrong time, opening valves instead of closing them; keeping pumps running while the storage tank is overflowing. And, remember, that Siemens is one of the top suppliers of PLCs in the world. Even in facilities where Siemens control systems have been replaced by another vender, there is still a good chance that one or more Siemens PLCs remain buried in the system.

Partial Disclosure

What we now have with the Siemens systems is neither responsible disclosure nor full disclosure (I like that better than the alternative – ‘irresponsible disclosure’). The world knows that there is a serious vulnerability in the Siemens control systems. System owners have no idea what type of actions – short of system shutdown – that they can take to protect their manufacturing processes.

Beresford and his co-workers at NLS Labs know what the vulnerability is, but that is okay as they don’t appear to be about overflowing storage tanks.

The rest of the security research community (and less ethical hackers) now know that there are exploitable vulnerabilities is a very common system. Providing that knowledge is like throwing raw meat to a pack of starving dogs. And Beresford inadvertently made it worse by telling the people from Wired.com that the vulnerabilities were ‘easy to find’; that’s like questioning the manhood of a gangbanger. Just look at the recent number of vulnerability reports for systems with vulnerabilities identified by Luigi earlier this year.

Open season has now been declared on Siemens control systems. Every hacker and security researcher worthy of the name will be trying to figure out the vulnerabilities that Beresford identified and expanding on that list. Oh, and if you don’t have a Siemens system or any Siemens PLCs in your control system, don’t be too confident. Beresford told Wired.com that at least one of the vulnerabilities that he discovered affects systems from multiple vendors.

System Owners

What is the owner of a Siemens control system to do with this information? Besides hoping and praying, not much more than should have already been done with your system. Minimize and understand the system exposure to the Internet and other networks. Watch the system logs very carefully for unusual activity. And, if you don’t have a system security team in house or under contract, make sure you have the contact information for ICS-CERT (see their web site). They don’t typically stop problems (manpower and liability issues) but they are resource for helping facilities to recover. Unless, of course, the attacks are wide spread; their small team can be quickly overrun.