Earlier this year, speculation abounded that a botched fix for a software flaw in an industrial control system built by manufacturing giant Siemens was tied to a security talk getting pulled from a conference. At the time, researchers said Siemens had downplayed the seriousness of the vulnerabilities reported. While history isn’t repeating itself exactly this month, it certainly is closely rhyming.
About the same time as those flaws were publicly bedeviling Siemens, security software researcher Billy Rios reported an authentication bypass flaw within the company’s software that is used to manage industrial control and critical infrastructure systems. “I’ve been patiently waiting for a fix for the issue which affects pretty much every Siemens SIMATIC customer,” Rios said in a blog post yesterday.
After waiting roughly seven months for a response, or a fix, Rios was recently told, through a Reuters reporter, that Siemens was not aware of “open issues regarding authentication bypass bugs at Siemens.”
After that feedback, Rios decided to take what he knew about the flaws public in this blog post.
In one of the flaws, Rios contends that the default password for a number of services on these Siemens systems was “100.” Also, if a user changes the default password to one that contains a special character, that password may revert back to its default. Additionally, services in the systems (Web, VNC, and Telnet) each maintain their credentials separately, so when one changes the Web default passwords the others remain in default.
Also troubling, Rios said he is able to find “many” of the services for these at-risk Siemens systems available on the Internet.
Rios also claims that session tokens generated by a Siemens Web HMI are fully predictable — making it straightforward for attackers to make their own tokens to use for access without having to know an actual username and password credential.
In an email response, Siemens acknowledged that they knew of the flaws. “We are aware of the reported vulnerabilities, first reported in May 2011. Our development had immediately taken action and addressed these issues. The vulnerabilities will be fixed by security updates, [the] first is planned to be issued in January 2012. In December 2011 further vulnerabilities have been reported which are currently under investigation. We thank Billy Rios and Terry McCorke for reporting the vulnerabilities,” Siemens said in their reply.
“It’s not surprising to learn that these systems have weak, insecure, and generic administrative passwords. It’s a problem that’s not new,” says Pete Lindstrom, research director at Spire Security. “Systems should force default passwords to be changed on initial log-in.”
And that, experts say, hints at the challenge. They say that IT security in industrial control systems remains, if not immature — awkward. “The biggest obstacle to security in this area (which Gartner now calls Operational Technology to differentiate from Information Technology) is that power companies, manufacturers, and related players have very different governance and management processes for general purpose PCs and servers vs. power control/SCADA/process control/medical machinery,” Gartner analyst John Pescatore said in an earlier interview.
“Even though those things are increasingly CPU and software driven, they are still treated like machines vs. computers in many cases — meaning that security has been focused on physical security, not information security, and there has been an overdependence on security through obscurity,” he said.