After Delay, Hacker to Show Flaws in Siemens Industrial Gear

A security researcher who says he’s found serious problems with Siemens computers used in power plants and heavy industry is now expecting to go public with his research at the Black Hat security conference in Las Vegas.

In May, NSS Labs Researcher Dillon Beresford pulled out of a Dallas hacking conference at the last minute when Siemens was unable to fix problems he’d found in the firmware of its S7 programmable logic controller. After consulting with Siemens and the U.S. Department of Homeland security, NSS decided that it was simply too dangerous to go public with its information before a patch could be fully developed. The systems Beresford had hacked are used to run power and chemical plants, some of which could be damaged if they were hit by a computer attack.

Now NSS Labs CEO Rick Moy says Beresford is rescheduled to deliver his talk at Black Hat, which runs Aug. 2-3.

Beresford has discovered six vulnerabilities in the S7 that “allow an attacker to have complete control of the device,” Moy said. Devices like the S7 do things such as control how fast a turbine spins or open gates on dams.

The attack was developed on an S7-1200 system, but NSS believes other models of the S7 are also vulnerable.

For Beresford’s attack to work, a hacker would have to first be on the same network as the Siemens system. Industrial systems like the S7 are often designed to run on “air-gapped” networks that are physically separated from the rest of the plant’s computer systems. That would protect them from Beresford’s attack, but security researchers have shown that it’s often possible to reach these networks from the Internet. The Stuxnet worm, for example jumped across networks by infecting USB drives.

Breaking into some industrial networks would be even easier than that, according to Moy. “The dirty little secret about [such industrial] systems in general is that very few are properly air-gapped,” he said.

NSS Labs expects Siemens to issue a patch in the next few weeks, well ahead of the August presentation. “They didn’t give any firm timelines,” he said. “They said unofficially that they were pretty confident that they’ll be able to get their stuff out before then.”

Siemens could not immediately be reached for comment.

However, in previous statements, the company has implied that the NSS attack might be hard to pull off in the real world. “While NSS Labs has demonstrated a high level of professional integrity by providing Siemens access to its data, these vulnerabilities were discovered while working under special laboratory conditions with unlimited access to protocols and controllers,” Siemens said last month.

Beresford wasn’t impressed with that comment. In a May interview, he called for Siemens to publish a security advisory on the bugs along with a timetable of when they will be fixed. “Now that they’re trying to minimize the impact and do PR damage control, I feel that they’re not servicing the public’s interest,” he said. “I’m not pleased with their response… They didn’t provide enough information to the public.”

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is robert_mcmillan@idg.com