“This is just the beginning; there are going to be a lot more issues discovered…There are lot of different aspects to what’s going on here”, Moy told Infosecurity.
Siemens said it is working to fix the vulnerability in its PLCs in response to the NSS Labs research. PLCs are devices that communicate with and control physical devices in industrial processes.
“Siemens is working together with both NSS Labs and ICS-CERT [Industrial Control Systems Cyber Emergency Response Team], and we are in the process of testing patches and developing mitigation strategies. Siemens and ICS-CERT have validated that direct access to the product within an automation network is required for these irregularities to take place within the PLC.”
Earlier this week, Dillon Beresford, a security researcher at NSS Labs, decided not to deliver a presentation on the research scheduled to be given at the TakedownCon conference in Dallas, Texas.
Moy said that his company had been in talks with Siemens and the ICS-CERT “weeks before” the conference about the research. “Given that this was a new vulnerability that didn’t have any fixes we wanted to make sure the appropriate people were involved”, he said.
The NSS president explained that during the talks, the scope of the problems created by the research increased. “Given that there was no remediation and the presentation we had planned had a lot of information in it, at the last minute our guys decided not to go public with that particular demonstration at that time.”
Moy stressed that this was a voluntary decision and that the company plans to give a presentation on the research at a later date. “We do intend to share more details, probably in phases, in a way that won’t jeopardize people’s safety. We have a line to walk here. We need to share enough information so that owners and operators of SCADA [supervisory control and data acquisition] systems can take it seriously and take some protective action, without allowing the bad guys to get hold of information to compromise these systems.”
Siemens SCADA systems were the object of the attack by the Stuxnet worm, which exploited system vulnerabilities to disrupt Iran’s nuclear program.