Siemens' gear is still vulnerable

An insecurity expert has found that Siemens industrial control systems, upon which the world’s infrastructure depends, are packed full of vulnerabilities.

The vulnerabilities exist in Siemens programmable logic controllers, or PLCs, which was the same gear that were targeted by the Stuxnet worm which brought the Iranian nuclear programme to its knees.

They are also used in nuclear facilities and other critical infrastructures, as well as in commercial manufacturing plants that make everything from pharmaceuticals to automobiles.

Dillon Beresford, the security researcher with NSS Labs, told Wired that he had even found a hard-coded username and password that would let attackers reprogram the systems with malicious commands. Beresford said that he could log in via telnet and http, dump memory, delete files and execute commands.

Beresford was going to discuss a few of the vulnerabilities at TakeDownCon in Texas in May, but pulled the talk after Siemens and the Department of Homeland Security were a little worried about the content.

Since then he has found more holes which would allow attackers to bypass authentication protection in the PLCs and reprogram them, or issue a “stop” command to halt them. True, they all require the attacker to have access to the network on which the PLCs run, but that was a similar problem that Stuxnet had and that did not stop it.

Beresford has been been working with DHS’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, to validate and disclose the vulnerabilities, and plans to withhold some information, as well as actual exploit code, until Siemens has a chance to patch the vulnerabilities that can be fixed.