Cyber Attacks Could Hit Infrastructure If Flaws Aren't Fixed
(Adds comments from Department of Homeland Security)
By Jim Finkle
BOSTON, Dec 22 (Reuters) - Siemens said it
is working to fix security flaws in industrial controls products
that the U.S. government warned could make public utilities,
hospitals and other critical parts of the country's
infrastructure vulnerable to attack by hackers.
The German conglomerate, whose industrial control systems
are widely used around the world, said on Thursday in a posting
on its website that it had learned of the vulnerabilities in May
and December of this year from security researchers Terry
McCorkle and Billy Rios.
The U.S. Department of Homeland Security issued an advisory
that warned of the vulnerability, urging Siemens customers to
minimize exposure of industrial control systems to the Internet
to make them less vulnerable to attack.
"Successful exploitation of these vulnerabilities could
allow a hacker to log into a vulnerable system as a user or
administrator," the agency's Industrial Control Systems Cyber
Emergency Response Team said in the advisory.
Rios told Reuters that one of the most serious of the
vulnerabilities, known as an "authentication bypass," allows
hackers to get around password protections on Web interfaces,
which Siemens customers use to access industrial control
Siemens industrial controls systems are used to run an
assortment of facilities from power generators, chemical plants
and water systems to breweries, pharmaceutical factories and
even uranium enrichment facilities.
"People with low skills will be able to use this
authentication bypass," said Rios, who described the problems on
his blog, www.xs-sniper.com.
Siemens said it had addressed some of the security
vulnerabilities and that it would release its first security
update to fix them next month.
The company does not know of any cases in which hackers had
exploited the vulnerabilities to attack its customers, spokesman
Alexander Machowetz said.
Some Siemens software is designed to automatically install
services that make control systems accessible via the Internet,
Rios said. They are installed with a default password, "100,"
which is published in user manuals that are available on the
public Siemens website, he added.
"People set up control systems, and they don't realize that
they are on the Internet, waiting for people to connect to
them," Rios said.
Siemens industrial control systems have been scrutinized by
security researchers over the past few years.
The notorious Stuxnet virus, which crippled Iran's nuclear
program, was first identified by researchers in June 2010. It
targeted Siemens software used to control gas centrifuges that
enriched uranium at a facility in Natanz, Iran.
Last May, the U.S. government warned U.S. water districts,
power companies and other Siemens customers of another security
flaw uncovered by researcher Dillon Beresford that made systems
vulnerable to attack.
In August, Beresford disclosed at the Black Hat hacking
conference in Las Vegas that he had found further
vulnerabilities in Siemens products, including a "back door that
could allow hackers to wreak havoc on critical infrastructure."
(Reporting By Jim Finkle; Editing by Lisa Von Ahn)
Copyright 2011 Thomson Reuters. Click for Restrictions.