Friday, August 5, 2011

Siemens Security and Video Surveillance

With all of the discussion this week surrounding the Beresford Black Hat presentation about Siemens PLC vulnerabilities I ran across an interesting infoticle (article version of an infomercial) on concerning a video surveillance system from Siemens. While I know nothing about the video surveillance services by Siemens the first question that came to mind when I saw this infoticle was how secure is this system?

While I have an understandable leeriness concerning security whenever I hear ‘Siemens’, I suppose that this is a question that should be asked about any video surveillance system. We have all seen the spoofing of video surveillance systems in movies and TV shows, and I suspect that there is a great deal of artistic license in those portrayals. But, since these systems are in effect cyber information systems, they are potentially susceptible to all of the standard cyber-attack modes.

A denial of service attack on a networked video surveillance system could result in a failure of that system to provide the intrusion detection function of the system, potentially compromising the entire security program for the facility. Interception of the video information being transmitted on the systems could allow an attacker critical information necessary for penetrating the facility. Remote manipulation of the system information could result in a large number of false positives that could compromise the response to actual system alerts. And finally I suppose that while probably technically challenging, it would be possible to do a movie style loop-recording spoof of the system to allow facility penetration.

As with any computer system purchase, the buyer needs to ask the vendor serious questions about cyber security issues related to these video surveillance systems. Some vendor’s responses will need to be independently verified before they can be relied upon.

1 comment:

Dale Peterson said...


I would not prejudice the security judgement of this product or other divisions at Siemens by the security problems of Simatic/S7. Siemens is a huge company, and the divisions can be quite autonomous.

For example, the Spectrum Power products and SDL is much better / has made significant progress like many other ICS vendors who deal with workstation and sever software.

I probably have been remiss in not mentioning this in every blog entry, but it gets tiresome to add the caveat each time.

Dale Peterson

/* Use this with templates/template-twocol.html */