James Delahunty
25 May 2011 2:56
A security researcher has blasted Siemens for comments made by the company downplaying security vulnerabilities in its industrial control systems.
Dillon Beresford wrote that the German company was downplaying the threat of findings he made while testing a Siemens programmable logic controller (PLC). "The vulnerabilities are far reaching and affect every industrialized nation across the globe," he wrote in an e-mail posted to a public security list.
"This is a very serious issue. As an independent security researcher and professional security analyst, my obligation is not to Siemens but to their consumers."
Siemens PLC equipment is used in all sectors of industry, being found at oil refineries, manufacturing plants and waste treatment facilities. Their security has been called into question following the Stuxnet discovery and analysis, which apparently targeted Siemens equipment used as part of Iran's nuclear program.
Beresford discovered several security bugs with a Siemens PLC he got through his employer, NSS Labs. He took issue with comments of Siemens representatives made to the media, which claimed the bugs were discovered "under special lab conditions with unlimited access to protocols and controllers," and that the vulnerabilities would be difficult for hackers to exploit.
"There were no 'special laboratory conditions' with 'unlimited access to the protocols,'" Beresford wrote. "My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory."