This is Walt Boyes, taking over Joe Weiss' blog to do something Joe is unaware of:
Someboday sent me a copy of
ICS-ALERT-11-139-01AP--SIEMENS PROGRAMMABLE LOGIC CONTROLLER
VULNERABILITIES
UPDATE A
June 03, 2011
The report details several vulnerabilities that Dillon Beresford tried to report but was asked not to give his paper. Dillon has posted here since. The report states that ICS-CERT, Beresford and Siemens are working hard to generate fixes.
Unfortunately,
Warning:This document is FOR OFFICIAL USE ONLY (FOUO).
It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C.552).
It is to be controlled,stored,handled,transmitted,distributed,and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public or other personnel who do not have a valid "need-‐to-‐know" without prior
approval of an authorized DHS/ICS-‐CERT official.
No portion of this report should be furnished to the media, either in written or verbal form.
So. I shouldn"t have a copy of the report, and I cannot tell you what it is. What I can tell you is that if you have control systems using Siemens PLCs, you need to read it, and do the mitigations ICS-CERT suggests, but which I can't tell you about.
Too bad, that. The report says some very important things.
And even if you do not use Siemens controllers, you should be paying attention. This could have happened to any controller vendor, and some of the vulnerabilities Beresford and Siemens have discovered could have their analogs in other controllers made by other manufacturers.
But I can't tell you about them.
You may never get to see this report. As of this writing, the ICS-CERT on the Aurora vulnerability, even though it has been publicly disclosed and discussed by DHS and INL personnel, is still FOUO-- which is a sort of "we can't classify this, but we'll make it super secret secret squirrel" anyway to show how much authority we have.
We have been over and over the fact that you cannot protect a control system by obscurity. Unfortunately, the Department of Homeland Security has NOT been listening.
If you have any manufacture of programmable controllers, Siemens or other, you should call DHS and ask them for a copy of this report. Here's where you ask:
ICS-CERT Operations Center
1-877-776-7585
[email protected]
One last thing. Yes, I am a member of the media. But as a member of the ISA99 standard committee, I also have a valid "need-to-know."
Walt Boyes