Security firm finds Siemens industrial systems flaw

An electronics security firm claims to have identified a flaw in Siemens industrial control management systems that may allow hackers to take control of electrical generators and other critical infrastructure.

The German conglomerate said it is studying the findings of the security firm, NSS Labs, but added that it may have overstated the risk or not taken into account real-world situations.

NSS Labs this month told Siemens that its industrial control systems contain a vulnerability that hackers could exploit to launch remote attacks on systems running critical infrastructure, taking over systems that handle power and water distribution, for instance.

Siemens is still recovering from fallout from last year's discovery of the Stuxnet virus, a computer worm specifically designed to attack its industrial control systems. Stuxnet is believed to have knocked out in late 2009 or early 2010 about 1,000 centrifuges used by Iran to enrich uranium.

"The vulnerabilities are far-reaching and affect every industrialised nation across the globe. This is a very serious issue," NSS researcher Dillon Beresford said in a note he posted Monday on a mailing list sent to professionals who monitor security of industrial control systems.

He criticised Siemens for failing to tell its customers they are at elevated risk of such attacks, which could affect electrical generators, water distribution systems and other critical infrastructure that run on Siemens technology.

But a spokesman for Siemens denied any fault, saying company officials are in a better position to assess potential security risks than researchers from an outside firm.

Siemens said NSS Labs did not have enough information to determine the severity of the risk.

NEED TO DISCLOSE

Beresford disclosed last week that he had found several security bugs that a hacker could remotely exploit to gain control of a key piece of hardware in those Siemens systems.

He was scheduled to discuss his findings at a security conference in Texas but canceled the presentation at the last minute to avoid publicising information that might be useful to criminals looking to attack Siemens customers.

"We pulled the talk and made it clear to Siemens that 'you needed to disclose this to your customers,'" said NSS Chief Executive Rick Moy. "They have not been proactive in notifying their customers."

Siemens spokesman Wieland Simon said his company was studying information it had obtained from NSS Labs. That included a software program that Beresford wrote to remotely attack a crucial piece of equipment in each industrial control system, a device known as a programmable logic controller module.

Simon also said that NSS Labs failed to study how Siemens systems are used in the real world.

"Operating under laboratory conditions and without any IT security measures in place, security experts have revealed some irregularities in the products' communication functions," Simon said. "The irregularities found under such conditions are of no significance."

He said Siemens needs more time to review the software program that Beresford wrote to launch attacks on its systems. "This is a very complex matter," he said.

Identifying serious security flaws in the products of corporations has become a flourishing business, fostering a fast-growing industry of large and small security companies devoted to the task.

NSS makes its living partly by consulting for corporations trying to determine which computers, software and electronics products are most secure. It conducts reviews of popular electronics products to see if they are as safe as their manufacturers claim.

When Stuxnet was first discovered last July, Siemens learned of the threat from a relatively obscure security firm in Belarus that was the first to find a sample of the virus.

In his email on Monday, Beresford said he hopes that Siemens will move quickly.

"The clock is ticking and time is of the essence," he said.

(Editing by Steve Orlofsky).