Home > Critical Infrastructure Security, Information Security, SCADA Security > Siemens SDLess – What CERTs talked about

Siemens SDLess – What CERTs talked about

Recently I attended the FIRST (Forum of Incident Response Security Teams) conference in Vienna which is the annual gathering for CERTs (Computer Emergency Response Teams) from around the world and everyone noticed that for the first time in the history of the 23 year old annual conference that the main buzzword was not some new IT security breakthrough, the most talked about vendor in the lobby and in the hallways was not Microsoft with all it’s glory, the hottest sessions were not F-SECURE’s Mikko H. Hypponen or Kaspersky’s Founder Eugene Kaspersky and the most talked about threat was not buffer overflow.

The answer for all of the above was one word…”SIEMENS”.

It was clear that things have changed and that there is a shift in the priorities of the attendees.and this is very alarming to see that in the FIRST conference specially.

The significance of the FIRST conference is that its in my opinion…the ultimate good guys gathering.

CERT teams are the real firefighters on the ground and usually those guys deal with all the dirt on a 24x7x365 basis and many of them do it country/regional level…also by design CERT staff are some of the most connected people in the information security business and most importantly they thrive on hard earned IT community trust. so if you hear them saying this is a game changer and most of us are not ready…this is your cyber strategy needs to be revised heads-up right here.

Also for the first time SIEMENS represented by SIEMENS-CERT was going to talk about Stuxnet from their perspective. although it was one of 3 parallel sessions i guess everyone in the conference was in this room to hear what SIEMENS have to say in its own defense regarding Stuxnet.

Prelude
They kickstarted the session by asking everyone not to copy anything from the slides and to stop using social media completely, the slides were all marked as CONFIDENTIAL…turned out that there is nothing they can add to what everybody knew.

Apology
SIEMENS said that they completely understand why they are being scrutinized and that they did a mistake handling the Stuxnet issue…yes they said “We did a mistake” and I have to credit them for that. the mistake in their presentation was Siemens CERT not sharing any of the information at hand “early on” with other CERTs or at least proactively explaining the issue to the Media properly, this is true but its not the root cause of the problem.

Stuxnet over the week end
SIEMENS CERT first heard about Stuxnet over the weekend and at first glance they thought it can wait till monday, they started to slowly unwrap the malware only to be beaten to it by Ralf Langner initial findings posted on his blog which started a media frenzy…in their own words it was a top decision not to enter the fray until they finish the entire analysis (took them 6 month)…but who can wait with such a gem at hand. and the rest is history.

SIEMENS View on how to improve security in the future
They said that as a vendor SIEMENS value security and couldn’t be less annoyed standing here having to clear/justify this mess, and that they promise to be more open and to issue alerts, customer specific notifications and patches much sooner if anything of such nature surfaced again.

What they didn’t say and should be saying
SIEMENS never came close to acknowledge that their entire design process which has always been flawed but survived due security by obscurity came to a sad end..and to make things worse…everybody (researchers, opportunists and criminals) is now trying to play with it maybe he/she stumbles upon something that can cause more embarrassment. they need to come clean and know that the only proper way to fix this kind of fundamentally poor design issues (Hard coded passwords, leaving unnecessary ports and services open…etc)…is a totally new SDL “Security Development Lifecycle” that would eventually allow them to spot things much early on and to avoid silly mistakes as in hard coding passwords in the year 2011.

Stuxnet Code: can be downloaded from Here (Important: After downloading – Change the extension name to .RAR)
Watch Ralf Langner talk in NATOs conference on cyber conflict
ICS-CERT alert on the hard coded credentials in SIEMENS products

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: