Researcher blasts Siemens for downplaying SCADA threat

Bugs "more serious than Stuxnet," says NSS Labs, whose researchers pulled a talk on exploits

The security researcher who last week voluntarily canceled a talk on critical vulnerabilities in Siemens' industrial control systems took the German giant to task Monday for downplaying the problem.

Dillon Beresford, a researcher with NSS Labs, took exception to Siemens' claim that the vulnerabilities he and colleague Brian Meixell uncovered had been discovered "while working under special laboratory conditions with unlimited access to protocols and controllers."

"There were no 'special laboratory conditions' with 'unlimited access to the protocols.' My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory," said Beresford in a message posted on a public security mailing list. "[And] I purchased the controllers with money my company so graciously provided me with."

While Siemens promised last week that it would patch the bugs, it downplayed the threat to its industrial control systems, and the thousands of companies that rely on Siemens' PLC (programmable logic control) systems, argued Beresford.

"It's very discouraging...when a vendor tries to minimize the impact of a critical issue for the purpose of saving face in the public," Beresford said in a follow-up message on the SCADASEC mailing list. "It sends out the wrong message to people who are trying to do the right thing."

Industrial control systems like Siemens' monitor and manage everything from oil drilling rig equipment and power plant operations to skyscraper elevators and high-speed trains in Japan.

Dubbed SCADA for "supervisory control and data acquisition," the systems and their security have been under intense scrutiny since the Stuxnet worm was discovered almost a year ago. Stuxnet, a worm that some experts have called "groundbreaking," is believed to have been built to sabotage Iran's nuclear program, particularly the gas centrifuges the country uses to enrich uranium.

Stuxnet was the first in-the-wild worm that attacked SCADA systems.

Rick Moy, the CEO of NSS Labs, and Beresford's boss, backed up his researcher in an interview Monday.

"Siemens chose to use language that's vague and misleading," said Moy of Siemens' statement last week where it implied that the flaws would be very difficult to exploit. "They tried to downplay the impact to their customers. That's what was concerning to us."

Beresford and Meixell pulled their presentation on their own accord after consulting with Siemens and the U.S. Department of Homeland Security (DHS), who expressed concerns about potential use of the information by hackers.

But Moy said Siemens' customers deserve to know more.

"The right thing [for Siemens] to do for customers is to let them know they need to reevaluate how their networks are architected," Moy said. "These issues completely obviate the need for the software, and allow an attacker to directly access the PLCs."

Stuxnet exploited vulnerabilities in Windows to infect computers that ran Siemens SCADA software, giving the attackers access to the software that in turn controlled PLC devices.

"This is a completely different class of vulnerabilities than Stuxnet exploited," said Moy. "It's more serious than Stuxnet."

NSS Labs will not publicly release technical details about the PLC vulnerabilities, nor proof-of-concept exploit code, Moy continued. But the company will do an end-around Siemens and discuss the flaws with SCADA operators that it's confirmed are legitimate.

In the next week or two, NSS Labs will demonstrate the impact of the vulnerabilities to SCADA operators on an invitation-only basis. Moy asked concerned users of Siemens PLC devices to contact the company for more details on the demonstrations NSS Labs plans to host at its Carlsbad, Calif. office.

At the same time, NSS Labs will also outline possible mitigation steps users can take to protect their SCADA systems from attack.

Moy felt that was the right path to take. "The companies who own these devices are up in arms over Siemens' slow response," Moy said.

In the meantime, he had little advice for companies using Siemens PCL devices. "Unplug your stuff," said Moy.

"Actually, it's not as simple as that," he continued. "But waiting for a fix from Siemens is not the best that you can do."

He declined to be more specific about what steps SCADA operators can take.

Moy also expressed frustration that the news last year of Stuxnet's success -- Iranian officials have acknowledged the worm affected its primary uranium enrichment facility -- hasn't prompted SCADA suppliers like Siemens to push harder on the security front.

But he had hopes the latest discoveries would prompt Siemens to act and push SCADA operators to pay more attention to security.

"The bright side to this is that these aren't the only vulnerabilities. There are definitely even bigger issues for industrial control operators," said Moy. "The visibility of these vulnerabilities will hopefully give the industry more momentum toward better security, and force it to address the problems."

Siemens did not reply to a request for comment on Beresford's and Moy's claims that the company was minimizing the threat to SCADA systems and the industrial systems they manage.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the PC World newsletter!

Error: Please check your email address.

Tags NSS Labssiemenssecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?