More

Cyber Attacks Could Hit Infrastructure If Flaws Aren't Fixed

Siemens

First Posted: 12/22/11 01:45 PM ET Updated: 12/22/11 06:50 PM ET

Inspiring
 Funny
 Obsolete
 Scary
 Must-Have
 Amazing
 Innovative
 Nerdy



* Researchers say flaws make systems vulnerable to attack by
hackers


* Siemens says first fixes will be released in January

(Adds comments from Department of Homeland Security)


By Jim Finkle


BOSTON, Dec 22 (Reuters) - Siemens said it
is working to fix security flaws in industrial controls products
that the U.S. government warned could make public utilities,
hospitals and other critical parts of the country's
infrastructure vulnerable to attack by hackers.


The German conglomerate, whose industrial control systems
are widely used around the world, said on Thursday in a posting
on its website that it had learned of the vulnerabilities in May
and December of this year from security researchers Terry
McCorkle and Billy Rios.


The U.S. Department of Homeland Security issued an advisory
that warned of the vulnerability, urging Siemens customers to
minimize exposure of industrial control systems to the Internet
to make them less vulnerable to attack.


"Successful exploitation of these vulnerabilities could
allow a hacker to log into a vulnerable system as a user or
administrator," the agency's Industrial Control Systems Cyber
Emergency Response Team said in the advisory.


Rios told Reuters that one of the most serious of the
vulnerabilities, known as an "authentication bypass," allows
hackers to get around password protections on Web interfaces,
which Siemens customers use to access industrial control
systems.


Siemens industrial controls systems are used to run an
assortment of facilities from power generators, chemical plants
and water systems to breweries, pharmaceutical factories and
even uranium enrichment facilities.


"People with low skills will be able to use this
authentication bypass," said Rios, who described the problems on
his blog, www.xs-sniper.com.


Siemens said it had addressed some of the security
vulnerabilities and that it would release its first security
update to fix them next month.


The company does not know of any cases in which hackers had
exploited the vulnerabilities to attack its customers, spokesman
Alexander Machowetz said.


Some Siemens software is designed to automatically install
services that make control systems accessible via the Internet,
Rios said. They are installed with a default password, "100,"
which is published in user manuals that are available on the
public Siemens website, he added.


"People set up control systems, and they don't realize that
they are on the Internet, waiting for people to connect to
them," Rios said.


Siemens industrial control systems have been scrutinized by
security researchers over the past few years.


The notorious Stuxnet virus, which crippled Iran's nuclear
program, was first identified by researchers in June 2010. It
targeted Siemens software used to control gas centrifuges that
enriched uranium at a facility in Natanz, Iran.


Last May, the U.S. government warned U.S. water districts,
power companies and other Siemens customers of another security
flaw uncovered by researcher Dillon Beresford that made systems
vulnerable to attack.


In August, Beresford disclosed at the Black Hat hacking
conference in Las Vegas that he had found further
vulnerabilities in Siemens products, including a "back door that
could allow hackers to wreak havoc on critical infrastructure."

(Reporting By Jim Finkle; Editing by Lisa Von Ahn)

Copyright 2011 Thomson Reuters. Click for Restrictions.

Related on HuffPost:

FOLLOW HUFFPOST TECH

* Researchers say flaws make systems vulnerable to attack by hackers * Siemens says first fixes will be released in January (Adds comments from Department of Homeland Security) ...
* Researchers say flaws make systems vulnerable to attack by hackers * Siemens says first fixes will be released in January (Adds comments from Department of Homeland Security) ...
Related News On Huffington Post:
 

Filed by Ramona Emerson  | 

More in Technology...


 
 
  • Comments
  • 3
  • Pending Comments
  • 0
  • View FAQ
Comments are closed for this entry
View All
Favorites
Recency  | 
Popularity
splansing
27 Fans
01:33 PM on 01/03/2012
True security is impossible, for any system, unless it's really completely disconnected from the Internet. And even then, you will always be vulnerable. Why? http://clicksafe.kensington.com/laptop-security-blog/?Tag=data%20breach

About 65% of security breaches are due to people doing something dumb, like losing their laptop, or leaving a thumb drive laying around, or visiting the wrong website, or falling for some sort of fraud or phishing.

If you absolutely must be entirely 100% secure, then you must absolutely not be connected to the Internet, period. The problem with that, of course, is that you cannot remotely manage your systems in that case, unless you literally set up a private wire to connect you to your private network...and that does NOT mean using the Internet cloud.

So now people have to actually go to work to do their jobs, and they have to live relatively close to where they work in general. Maybe that's not such a bad thing. Until people realize and accept that, these types of breaches will continue.

The ethics of the hackers are irrelevant except in an ivory tower. They are a function of our society and will always exist.
Permalink  |
Gmasters
Never underestimate the Power of Human Stupidity!
163 Fans
06:05 PM on 12/23/2011
The simplest and Fastest fix is also plain old Common Sense:

Unplug these things from the Internet!

An electric Generator has no need to conduct Google Searches.
Neither does a Chemical Plant, Nuclear Plant, uranium plant or secure Defense Facility.

If any of the People inside these plants can justify access to Google, their Computer for performing Google Searches should NOT be connected to the Plant.
It should be a separate set of cables.

BTW, I contracted at an IRS office a few years ago. They Already DO this.
They had TWO separate networks.
One was connected to Official Business computers.
The other was connected to the Internet.
If you wanted or needed access to Google at this facility, they would happily allow you to bring in a personal laptop to do so Using the Separate Network.

Even for that, you had to allow them to verify that your personal laptop was virus free and, if you didn't have a good anti-virus program installed, they would install one for you before you were allowed to plug it in. After all, it's still Their Network and they wanted it to be as well protected as possible.
Permalink  |
This user has chosen to opt out of the Badges program
Realist2011
beware false profits....
230 Fans
02:29 PM on 12/23/2011
I do not understand the problem. If you can't write secure software, then don't connect to external systems until you can. This isn't a new issue. There have been security issues since the first computer networks. Most of the time, it's just laziness on someone's part.

Two methods of authentication. Keep your authorized access lists up to date. Come on people. If your controller can be accessed across the net, then you should already be smart enough to know that's a potential problem. Don't send the software out until it's correct. Yes, it's going to take more time and cost more, but only in the beginning. Fixing the problems later costs a great deal more.
Permalink  |