Siemens to Patch Critical SCADA Vulnerabilities

Siemens has announced plans to patch a number of critical vulnerabilities in its SCADA software after a researcher accused the company of trying to brush the issue under the rug.

In response to claims by security researcher Billy Rios that the company was dismissing reports of vulnerabilities, Siemens issued a statement noting that the company planned to patch a number of issues found by Rios and fellow researcher Terry McCorke next month.

“Siemens was notified by IT experts (Billy Rios and Terry McCorke) about vulnerabilities in some of its automation products,” the company said. “These are the WinCC flexible RT versions from 2004 to 2008 SP2 and WinCC Runtime Advanced V11 and multiple Simatic panels (TP, OP, MP, Comfort). We are aware of the reported vulnerabilities, first reported in May 2011. Our development had immediately taken action and addressed these issues. The vulnerabilities will be fixed by security updates, [and the] first is planned to be issued in January 2012.”

Other vulnerabilities were reported by Rios and McCorke this month as well, the company noted, adding that it thanks the two for their work.

The remarks from Siemens followed a blog post by Rios that skewered the company for telling a Reuters reporter that an authentication bypass vulnerability the researchers had found did not actually exist.

“For all the other vendors out there, please use this as a lesson on how NOT to treat security researchers who have been freely providing you security advice and have been quietly sitting for half a year on remote authentication bypasses for your products,” he wrote.

In his blog post, Rios also filled in the details of some of the issues facing Siemens. For example, he noted that Siemens SIMATIC products, which manage industrial control systems, use a default password. Moreover, if a user tries to change that password using a special character, the password automatically reverts back to the default without the user’s knowledge. The default passwords leave the Web, VNC and Telnet services exposed when Siemens SIMATIC is installed, he argued. He also speculated that this issue may have been exploited by “Pr0f”, the hacker who used the default password to get access to systems at a water plant in South Houston, Texas, earlier this year.

“(Attackers) can use this to gain remote access to a SIMATIC HMI which runs various control systems and critical infrastructure around the world… aka they can take over a control system without knowing the username or password,” Rios wrote.

A Siemens spokesperson did not return a request for comment today looking for more specific information about the timeline for patches.

Related Reading: Industrial Control Systems Security One Year After Stuxnet

Related Reading: Bridging the Air Gap: Examining Attack Vectors into Industrial Control Systems

Related Reading: Are Industrial Control Systems Secure?

Related Reading: How to Make the Smart Grid Smarter than Cyber Attackers

Related Reading: The Increasing Importance of Securing The Smart Grid

Related Reading: Stuck on Stuxnet – Are Grid Providers Prepared for Future Assaults?