May 26, 2011, 11:49 AM — The discovery of a number of what have been described as serious vulnerabilities within industrial control systems built by manufacturing giant Siemens AG -- and the subsequent nixing of a presentation about those very vulnerabilities -- has raised questions about how the nature of vulnerability disclosure should -- or shouldn't -- change when it comes to the security flaws in industrial systems.
As covered earlier this week in our story "A botched fix, not legal demands, nixed SCADA security talk," NSS Labs researchers pulled a presentation after a fix Siemens offered failed to mitigate attack. A day after that story, Dillon Beresford, the NSS Labs researcher who discovered and reported the flaws took aim at Siemens on the SCADASec mailing list for downplaying the seriousness of the vulnerabilities. According to the report "Siemens says it will fix SCADA bugs," the company is downplaying the SCADA flaws. "While NSS Labs has demonstrated a high level of professional integrity by providing Siemens access to its data, these vulnerabilities were discovered while working under special laboratory conditions with unlimited access to protocols and controllers," Siemens said.
Beresford countered: "The flaws are not difficult for a typical hacker to exploit. Also there were no special laboratory conditions with unlimited access to the protocols. My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory. I purchased the controllers with money my company so graciously provided me with."
In a prior interview with NSS Labs Chief Technology Officer Vikram Phatak, he told CSOonline that the cost of the equipment was roughly $2,500. That's certainly a lower bar to uncover SCADA-related flaws than has been generally discussed.
With that in mind -- and the stakes higher with the security of factories, power plants, and other industrial systems in question -- the issue must be raised: What should the rules of disclosure for SCADA vulnerabilities be?