Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Claims Siemens Lied About Security Bugs

Posted by samzenpus on from the pants-on-fire dept.

chicksdaddy writes "A month after an unknown gray hat hacker calling himself 'pr0f' used a three character password to hack his way onto Siemens software used to manage water treatment equipment in South Houston, Texas, a security researcher working for Google is accusing the company of trying to cover up the existence of other, more serious vulnerabilities in its products. Billy Rios has disclosed a range of vulnerabilities in Siemens SIMATIC software on his blog. The holes could allow a remote attacker to gain access to the Simatic user interface without a user name and password. Rios claims that he has disclosed the hole to Siemens and that the company has acknowledged the problem, only to deny its existence when a reporter asked for more information about the vulnerability."

9 of 46 comments (clear)

  1. Lose the remote... by LostCluster · · Score: 3, Insightful

    The main problem these things have is that there's nothing more than password authentication protecting them from any random user getting in, and sometimes leak or get guessed.

    For this kind of access there should be a technician dispatched to the site... no remote login should be allowed. Water control is a lot like Enron's electricity control in that a wipeout of any size can cause a complete mess of a local economy.

    1. Re:Lose the remote... by plover · · Score: 4, Insightful

      I don't know about your community, but mine complains incessantly about taxes. If we had to have full-time SCADA engineers guaranteeing on site support 24x7, we'd have to pay more for water, sewer, gas, electricity, street lights, traffic control signals, and all those other industrial controllers that are hidden under little green boxes on the side of the roads.

      And I live in a large, wealthy city that could afford such amenities. I'm picturing the poor bastards in Bumfuck, Idaho*, population 174, located three hours from the nearest grass-strip airport. Who exactly is going to monitor their town water pump and filtration plant? Are you and every other taxpayer going to agree to pony up an extra $500/year to have a SCADA engineer sitting in the town bar all day and night, just waiting for your pump to croak? Or are you going to contract with REMOTE-SCADA-R-US.com to remotely monitor and maintain your plant, and possibly fix issues in minutes instead of days?

      I'm not saying that they should just plug it into the internet and walk off. But disconnected isn't even an option for a lot of installations.

      *My apologies to any fatherless indigents living in or near Bumfuck, Idaho. I'm sure you're all very nice people.

      --
      John
  2. Huh. by jd · · Score: 3, Insightful

    I seem to remember seeing SCADA vulnerabilities being added to vulnerability testing tools and IDS systems recently -- anyone know if this is related (ie: the tools now check for these non-existent flaws) or if the additions were to cover previously-reported bugs?

    If the former, Siemens had best fix this damn fast. Infrastructure companies are in a corner - they don't have the cash for a major migration and alternative vendors are hardly thick on the ground. Some will be unable to afford decent security and others will be too politicized to secure their networks. Much of the infrastructure is too big and/or too expensive to duplicate, so the market is useless. The only place this can be fixed is at Siemens itself. The others that technically could won't and the rest can't.

    The problem with the current paranoia over security is that you can't fix a fault you won't admit exists, companies won't deploy a fix if you tell them it's not needed, and so what you're ultimately left with is not security, merely obscurity.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:Huh. by rahvin112 · · Score: 2

      The solution given the reality of Siemens is to simply disconnect these SCADA systems from the internet. Why anyone would hook up industrial controls to the wider network. And yes I mean every single workstation that has access to the SCADA machinery should be disconnected from the broader internet. If that means people need two computers on their desk that's the solution. If that means you have to dispatch someone to the office to fix things, that's better than some hacker causing a massive failure by mis-configuring valves intentionally or through ignorance.

      I'll tell you something, these local municipalities can afford a little overtime and computers far more than destroyed infrastructure.

  3. Re:pr0f exploit a hoax? by Em+Adespoton · · Score: 3, Informative

    That was a different water-treatment event; in fact, it's the one that prompted pr0f to pull his attack, because nobody was taking the security holes seriously: http://nakedsecurity.sophos.com/2011/11/22/interview-with-scada-hacker-pr0f-about-the-state-of-infrastructure-security/

  4. Um, no, that's a BAD idea by gerf · · Score: 4, Insightful

    The problem is not necessarily with Siemens. Industrial controls in general are not inherently meant to be accessible over large networks. They're designed to run reliably as they are, not with patches and updates. This applies to anything from Siemens/Fanux/Rexroth/Allen-Bradley/Mitsubishi to Cognex cameras to ABB/Fanuc/Kuka robots, or any little bastardized system in between.

    Why not? Well, there is a ton of weird, unique software that runs on industrial controllers. They run some really embedded HMI (Human Machine Interface) software on top of, say, XP Embedded, or even NT4 or Win2k or some Linux flavor, or WinCE. If you start throwing out patches to those systems, there is a very very good probability that at some point, the system that you are updating will fail due to the update. Heck, Siemens updates regularly break its own software, much less Windows patches. If you try, and screw things up, you're forced to revert to some old dated backup or Ghost image stored in a filing cabinet on a CD-R or server if you're lucky. If you're not lucky, you call the vendor in to fix your broken system. Hopefully they are competent enough to have a backup from their last visit 6 years ago, and work from there, losing all your work in the meantime. So, you have machine downtime of hours, days, or even weeks if you're not lucky. How much does downtime cost? It depends on how many systems you took down, and the product. Conservatively, anywhere from $5,000 to $1,000,000 per hour.

    What to do? You obviously can't push out patches. But, there is a lot of good that comes from monitoring machines, their productivity, uptime, faults, etc, remotely. By taking these systems off of an internal network, you also lose productivity in efficiency losses. So, you're forced to be the High Priest of IT and lock down a network like no other. No outside USB sticks, manufacturing firewalled off from the rest of the plant, and all kinds of restrictions that make users angry. It sucks, but it's possible. Unfortunately, small time manufacturers with their one part time learn-on-the-fly IT guy probably won't do it right. Perhaps this is where the DHS can come in to help, in the name of national security?

    1. Re:Um, no, that's a BAD idea by Twylite · · Score: 3, Informative

      You are ignoring the essential role of HMI in SCADA systems. A SCADA can acquire data and coordinate components without a UI, but operators cannot monitor a plant or take corrective action without an HMI.

      The HMI is graphical and allows the operator to override normal operation in order to respond to abnormal situations. It needs all the input and output devices a normal workstation requires.

      You are also ignoring the issue of data storage by SCADA systems, and the generation of reports on that data which are used by various business departments in real-time. A Manufacturing Execution System may provide real-time reports for sales staff so that they can give customers accurate estimates of completion/delivery dates. Orders are added to a queue and will be automatically executed by the SCADA. Stores will receive low-stock notices for just-in-time ordering. Line stops exceeding 2 hours will result in automatic escalation to the COO.

      This level of automation brings huge business benefits. The business is more responsive to customer needs, and there are fewer manual steps involved in completing an order (leading to fewer mistakes, less waste, fewer unsatisfied customers). The downside is that the business network is directly connected to the MES and the SCADA in a manner that allows at least some commands to be issued (as opposed to having read-only access to a database). An air-wall is not possible.

      So now you have PCs on the business network able to interact with a MES which is necessarily able to access the network with the SCADA and HMI. And there's a 100% chance that the business PCs have e-mail access, which means that somewhere there is a physical cable to the outside world.

      They could have developed their own operating system

      Yeah, because they have extensive expertise in OS development and oodles of cash to throw at the problem, and as we well know the available commercial and free embedded OSes never have bugs.

      The problem is that the environment is not conducive to upgrades/patches and is hard to isolate logically. The economic reality is that for any given SCADA environment the risk* inherent in regular upgrades is larger than the risk of a malicious attack (for now).

      * = (likelihood of event) x (cost of event), where cost includes recovery plus the direct and opportunity costs of downtime.

      --
      i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
  5. Is it still lying if you don't know you're lying? by arglebargle_xiv · · Score: 2

    The OP claimed that Siemens lied about the security of their SIMATIC controllers, but don't you have to know you're lying in order to lie? Having dealt with Siemens over these things in the past (at one point we debated flying someone to Munich to club them repeatedly over the head until they realised there was a serious, showstopper flaw in their control system), it's quite probable that they genuinely believe that they're secure. We ended up using Allen-Bradley gear in the end, which also sucked, but not as much as the Siemens stuff.

  6. Re:Siemens sucks by Almost-Retired · · Score: 2

    No, I don't think they "have a very good understanding of technology"

    Many moons ago, when I setup my first NATed local network here, I bought a Siemans router. I set it up with a 12 character PW for admin purposes, the maximum it would allow. It was rooted and bricked 3 days later. If it was that easily attacked, I sure as hell didn't want it and took it back to Circuit City. They agreed, and weren't surprised that it came back.

    So I next brought home a Linksys BESFR41, which in a pinch I can still use. But it was eventually replaced with dd-wrt running on an old x86 box, whose radio never worked despite registering it, so now I have a netgear something or other whose radio used wpa2 with about a 120 char passphrase, and Just Works(TM).

    Maybe things have changed in the last decade, but I personally don't use the word Siemans and technology in the same sentence.

    Now, for the person who used Bumfuck, Utah as an example, what makes you think they would have anything more sophisticated than a pressure switch, adjusted for the height of the water storage tank, to control their water pumps?

    Sheesh, that ain't high tech, needing a computerized system to run it. The town clerk probably goes around reading the meters & sending out the bills on an old pentium powered box running winderz 3.1 from floppies, likely without any connection except the printers parport cable.

    So Bumfuck, Utah's water supply is not subject to a terrorists attack via this here intertubes, and far safer than any bigger towns that is all "modern & computerized".

    Cheers & a merry Christmas to all, Gene