Sunday, July 31, 2011

ICS-CERT Updates Siemens PLC Alert

Friday afternoon the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an update of the alert for Siemens PLCs that had been published the previous weekend. This new information comes from Siemens. They have confirmed the existence of the vulnerability that Beresford found in certain S7-300 PLCs (a list is included in the revised alert) and claim that it does not affect any of the S7-400 PLCs.

A number of bloggers and Tweeters have questioned the timing of this information; it seems that too often the information from ICS-CERT concerning Siemens products comes out late Friday afternoon. It isn’t clear if the timing is ICS-CERT or Siemens driven, but it does look like it is being designed to come out too late for most organizations to react to the release in a timely manner.

It seems odd to me that Siemens started fixing this issue in some version of the S7-300 PLCs as early as June 2009 and has yet failed to let their customers know about the vulnerability so that older versions of the PLC’s could be updated. As recently as earlier this month Siemens was publicly claiming that there were no known security issues with the S7-300 or S7-400 PLCs. Is it any wonder that many people are questioning the truthfulness of the claim in this updated alert that the S7-400 PLCs are not affected by this latest vulnerability?

There is one other oddity about this update. Typically, ICS-CERT issues an alert when it has just some preliminary information about an identified vulnerability. Once the vendor has confirmed the issue and provided mitigation measures, ICS-CERT will then issue an ‘advisory’ to replace the alert. Publishing this new information as an update to the alert rather than publishing it as an advisory would seem to indicate that ICS-CERT has not been able to verify this information.

No comments:

/* Use this with templates/template-twocol.html */