Security researcher NSS Labs has hit back at Siemens' claims that critical vulnerabilities in industrial control systems from the German maker worked only in the lab.
NSS Labs said it knew of zero-day holes in Siemens' programmable logic controllers used in supervisory control and data acquisition or Scada systems used by utilities such as power and water suppliers and in nuclear reactors.
NSS Labs will show how the vulnerabilities were exploited at the Las Vegas Black Hat conference in August.
The researcher claimed the vulnerabilities were so dangerous that it pulled out of a conference last month where it was scheduled to disclose them to give Siemens time to fix the holes. Siemens supplied NSS Labs information about the location of affected Scada systems and what they were controlling prior to the event.
But NSS Labs said deploying the patches would not be easy: “Some remediation steps require a yet-to-be-released firmware update to be tested and then deployed to devices in the field".
"This is a significant process that impacts logistics and operations of industrial control systems worldwide.”
Siemens had not responded to questions by time of publication but in an earlier statement to IDG it said the holes were exploited under lab conditions.
"While NSS Labs has demonstrated a high level of professional integrity by providing Siemens access to its data, these vulnerabilities were discovered while working under special laboratory conditions with unlimited access to protocols and controllers," Siemens said.
In a statement to SC Magazine, NSS Labs said the exploits worked in the real world.
“There are multiple vulnerabilities" in Siemens' logic controllers "which can be remotely exploited by an attacker under typical network conditions”, a spokesman for NSS Labs said.
“Attackers are able to hijack [logic controllers] and completely control and reprogram them at will, with serious consequences for the environment.”
Siemens said critical controllers were air-gapped, or not connected to the network. But as the Stuxnet worm proved, malware can bypass physical network separation by installing itself through removable media such as USB drives.