The Siemens
Twitter® feed has been touting the benefits of the newest member of the S7
PLC family the S7-1500. A recent
Tweet noted that “S7-1500 provides a security concept that protects
investments & contributes to higher plant availability”. It is nice to see
that Siemens is actively advertising security in this new product, but a closer
look will be needed to see how well Siemens is actually doing with its security
work.
Siemens Security
Claims
The nice color
glossy brochure available through the Siemens web site (but not actually on
the site, kind of odd) dedicates a full page (page 4) to the security measures
included in the device and the associated TIA portal. It mentions four specific
security features:
• Know-how protection;
• Copy protection;
• Access protection; and
• Manipulation protection.
Given the brief explanation provided (it is after all an
advertising brochure) it appears that the first two features are principally
designed to protect the intellectual property of the user, while the last two
are more directed at cybersecurity and protection of the connected process from
outside manipulation.
The access protection claims are supposed to protect “against
unauthorized project-planning changes”. They include allocation of “rights” to
various users based upon permission levels and communications protections via
an integrated firewall (in the CP 1543-1). There is no mention of how user
identification is assured (passwords? Key authentication? Biometrics?). The
issue of command/information encryption is also not addressed.
The discussion of ‘manipulation protection’ is even vaguer. It
notes:
“The system protects the data being
transmitted to the controller from unauthorized manipulation. The controller
recognizes the transmission of engineering data that has been changed or comes
from a strange source.”
There is no mention of how that data is protected (one would
like to assume encryption) or how ‘changed engineering data’ is recognized.
Again this is an advertising brochure, not an engineering document, but one
would like to see a little more meat on this very thin bone.
Security Commitment
Siemens is certainly making the effort to talk-the-talk, but
we have a ways to go to see how well they are walking-the-walk. We have already
seen multiple vulnerabilities (here
and
here) reported in their TIA Portal; the large group of vulnerabilities
seems to have been fixed promptly. The second (and older) vulnerability has
just been addressed with a work around (keep it disabled when not in actual use?),
apparently no actual fix is planned.
I would be much happier with the Siemens security commitment
if I had heard that they had provided some devices to some well-known security
researchers to check for vulnerabilities. If Rios & McCorkle, Beresford, Toecker,
or Langer (to name just a few of the qualified candidates) were given a chance
to have a go at the new product and found nothing, I would be very impressed
with the change in engineering at Siemens. If they did find something wrong
(and I suspect that all ICS equipment will have readily findable faults for the
near term), but the vulnerabilities were rapidly fixed, I would still be
impressed. Hell, just making the devices available would impress me.
As it is, time will tell how well Siemens is executing the
security responsibility that they are beginning to take seriously in their
advertising.
Posts
No comments:
Post a Comment