Background: DHS and the National Labs (INL in particular) have been performing control system vulnerability assessments for years. They have been viewed as the “gold-standard” by many in the industry. When DHS or INL issues a report, it is assumed to be a complete vulnerability assessment. However, for those uninitiated in the world of software testing, it should be made clear that no amount of testing can prove the absence of vulnerabilities. Therefore, the folks at DHS or INL (or any other researcher) may need to caveat their results to indicate the scope of the assessment and the limits of their methodology. In other words, the scope has to be established upfront and according to Mike Assante, INL assessments are usually done in NDA partnership with the vendor where the vendor and INL will negotiate the scope of the assessment. So, the casual reader of these reports needs to understand that the objectives are necessarily limited (because the testing permutations quickly expand to infinity) and many of the findings are responsibly handled and protected via NDA. The goal of these assessment programs is not always open disclosure. Hence, caveat emptor with the results of the reports.
What does this mean: Ralph Langner has identified easily-exploitable vulnerabilities in the Siemens PLCs. Consequently, I asked Ralph to explain low-key controller attacks at the upcoming ACS Cyber Security Conference (www.realtimeacs.com). Ralph demonstrated this vulnerability at the 2009 ACS Conference. However, there were no DHS personnel at the ACS conference when Ralph spoke or last year when he discussed the Stuxnet vulnerability.
- According to Ralph, the afore-mentioned vulnerability is as old as the Siemens S7 but has not yet been remediated. The vulnerabilities Dillon Beresford found are integral to the design of the Siemens PLCs. That is, the Beresford and Langner-identified vulnerabilities were present when INL performed vulnerability assessments of the Siemens PLCs in 2007. However, these vulnerabilities were not identified when Marty Edwards, then of INL now DHS, gave a presentation at the 2008 Automation Summit. Were they out of the negotiated scope?
- The 2008 Automation Summit INL presentation identified three critical vulnerabilities in the Siemens PCS7 product line:
- Vulnerability allowing an attacker to gain control of a server inside the DMZ.
- Vulnerability enabling unauthorized access to the Engineering Station allowing the attacker to gain interactive log-in to PCS 7 Engineering Station (isn’t this the attack vector Stuxnet used?)
- Vulnerability enabling unauthorized configuration database access that would allow an attacker to modify configuration from the PCS 7 Engineering Workstation (isn’t this the way the Stuxnet payload was delivered to the controller?)
- The INL/DHS report, “NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses”, dated May 2010 didn’t identify the Beresford or Langner-identified vulnerabilities. Why weren’t these vulnerabilities addressed in the industry report?
I asked Bob Radvanvsky to look at the ICS-CERT portal and review documents including: advisory bulletins, weekly advisory bulletins, and control systems cyber security quarterly reports that would have identified vulnerabilities in Siemens PLCs. Although he found a few occurrences mentioning the name "Siemens" within them, they were discussions about what other people/organizations were discussing regarding Siemens products. There was nothing conclusive indicating anything pertaining to any security/risk assessments conducted on any Siemens S7 equipment. Although this may not necessarily mean that there is insufficient reasons to conclude that there is no documentation present, there may be and that he may not have the proper access levels or capabilities to access any such documentation (if it were to exist). In conclusion, to the best of Bob’s knowledge, there did not appear to be any relevant documentation pertaining to Siemens S7 products any time within the 2007 or 2008 calendar years on the ICS-CERT portal. Why weren’t these critical vulnerabilities disclosed to industry by DHS, DOE, or ICS-CERT?
Other questions:
- If INL had identified the Berseford vulnerabilities in Siemens controllers in 2008, why was there such a concern about Dillon speaking at black-hat conferences in 2011?
- If INL didn’t identify the Langner or Beresford vulnerabilities, shouldn’t all INL reports be identified as limited scope assessments?
- Given that the scope and results are protected by CRADA, what should end-users expect from the results of the INL assessments?
- Does there need to be non-governmental test facilities that will provide comprehensive test results to the end-users?
- I talked to another vendor who had INL test their products to a limited scope. If INL is only doing a limited scope to meet a vendors' needs, shouldn’t they be treated as any other consultant?
- Can end-users trust ICS-CERT to disclose critical control system vulnerabilities in a timely fashion?
Marty Edwards is scheduled to speak at the ACS Conference. I hope he will respond to these questions. As Ronald Reagan once famously said, “trust, but verify”.
Caveat: I sent an e-mail to Marty Edwards for comments. He responded by e-mail that he could not comment on record or background. I sent INL asking for comment and received no response. I sent an e-mail to Sean McGurk asking for comment and received no response. I talked to Alan Cone at Siemens who expressed puzzlement as he thought the assessment was complete. Siemens did the assessment because they were genuinely interested in knowing the vulnerabilities of their systems. I am awaiting a formal response from Siemens.
Joe Weiss
