IDG News Service - Siemens is working on a fix for some serious vulnerabilities recently discovered in its industrial control system products used to manage machines on the factory floor.
The company said Thursday that it was testing patches for the issues, just one day after a security researcher, Dillon Beresford of NSS Labs, was forced to cancel a talk on the issue because of security concerns.
NSS Labs had been working with Siemens and the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response (ICS CERT) on addressing the issues for the past week-and-a-half. But the company decided to pull its talk when it turned out that Siemens' proposed fixes were not completely effective, according to Rick Moy, CEO of NSS Labs.
Siemens didn't say when it expected to fix the problems. "Our team continues to work diligently on this issue -- also together with both NSS Labs and ICS CERT. We are in the process of testing patches and developing mitigation strategies," Siemens said in a statement.
Industrial control systems have come under increased scrutiny in the year since the Stuxnet worm was discovered. Stuxnet, thought to have been built to disrupt Iran's nuclear program, was the first piece of malware built with industrial systems in mind, and it targeted a Siemens system.
Since then, security researchers have been poking and prodding all sorts of industrial devices, and by all accounts, they've found plenty of bugs.
While Siemens may be developing patches, installing them will be another issue entirely. Industrial systems are difficult to patch; entire production lines may have to be taken offline for a fix to be rolled out, and that can take months of planning. Many factories run old, unpatched systems and it's still common to see unsupported systems such as Windows 2000 on the factory floor.
Not much is known about the Siemens bugs themselves, but in an interview Wednesday, Moy described them as serious enough to allow hackers to control a Siemens PLC (programmable logic controller) system.
But in its statement, Siemens downplayed the issue somewhat, implying that the flaws might be difficult for the typical hacker to exploit. "While NSS Labs has demonstrated a high level of professional integrity by providing Siemens access to its data, these vulnerabilities were discovered while working under special laboratory conditions with unlimited access to protocols and controllers," Siemens said.
- Budd Van Lines Moves Data Closer to Home Shipping and logistics company Budd Van Lines uses Infinio to improve performance on their VDI environment. The company employs a virtualized datacenter based...
- Storage Performance with Cost Control As IT groups expand their server virtualization initiatives, central storage performance can become the bottleneck and create poor end user experience.
- Server-side Caching for the VMware Admin vExpert David Davis weights in on how best-in-class server-side caching solutions can drastically improve storage performance and reduce latency without the addition of...
- Move Mission-Critical Apps to the Cloud with AWS and F5 Read this paper to learn about adoption inhibitors of the cloud, potential solutions, and how advanced Application Delivery Controller (ADC) technologies are critical...
- What Does it Take to Deliver a Superior Customer Experience? The Two Top-Rated Online Retailers, B&H Photo and Crutchfield Electronics, Share Their Secrets Discuss practical CX tools and service methods such as contact center agents and the use of realtime speech analytics to help contact center...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Government/Industries White Papers | Webcasts