Although a public talk about new vulnerabilities found in Siemens industrial control systems (ICS) was pulled yesterday from a conference agenda due to its sensitive nature, the head of the vulnerability-test group that discovered the security holes said it expects Siemens will soon have a fix and will be discussing it.
That disclosure about some types of Siemens programmable logic controllers (PLC) that are used for controlling factory floors and other industrial processes is expected later today, says Rick Moy, president of NSS Labs, which has identified what is believed to be a vulnerability in Siemens PLCs that could lead to compromise or denial-of-service attack against the equipment used by factories and energy-production companies.
Unlike the Stuxnet worm that last attacked the Windows-based management system for some Siemens SCADA systems last year in Iran, the vulnerability identified by NSS Labs is associated with the proprietary code in the Siemens PLC hardware.
Vulnerabilities in industrial-control gear have implications that could jeopardize human lives, Moy says, saying NSS Labs has been working with Siemens to help them come up with a patch for PLC gear, which has also been subject to review from the ICS CERT based at Idaho National Labs in the U.S.
"Everyone's waiting for Siemens," says Moy, who indicated more about the issues in Siemens PLC will be disclosed once Siemens is public with its findings and fix for its equipment. At that point, NSS Labs will be providing more detail, which it had been expected to be able to do at the TakeDownCon Conference. There, NSS Labs yesterday voluntarily cancelled its planned talk after it found out Siemens was not yet ready to go public with its information.
Read more about wide area network in Network World's Wide Area Network section.