Dillon Beresford, an analyst for security auditing firm NSS Labs, isn't thrilled with Siemens (NYSE: SI), expressing his frustration on a mailing list for SCADA (supervisory control and data acquisition) software. Beresford, if you recall, is one of two researchers who was slated to make a presentation at a security conference last week demonstrating how flaws in Siemens SCADA systems can be exploited. It was canceled upon request by Siemens and the Department of Homeland Security, after initial mitigation offered by Siemens did not work.

Siemens had downplayed the vulnerabilities at the time, responding with a statement that implied it wasn't as serious as claimed. The company said then: "These vulnerabilities were discovered while working under special laboratory conditions with unlimited access to protocols and controllers." Attempts by Siemens to do what Beresford terms as "damage control and impact minimization" has clearly upset him. Time is of the essence, argued Beresford, elaborating that "the flaws are not difficult for a typical hacker to exploit because I put the code into a series of Metasploit auxiliary modules, the same one supplied to ICS-CERT and Siemens."

Siemens spokesperson Wieland Simon issued another statement in response to Beresford's online postings. As reported by Forbes, Simon wrote that the "irregularities" in the "communication functions" were discovered in the absence of IT security measures, and "there is no danger for the plant, for the workers or for the environment."

So is the flaw as serious as alleged by Beresford, or merely a tempest in a teapot? It's impossible to know, what with the details of the vulnerability still wrapped up. Siemens maintains, though, that it is in a better position to assess potential security risks than researchers from an outside firm. For now, NSS says it is offering to work directly with Siemens customers on mitigating the vulnerability after Siemens declined to work further with NSS to fix the bugs.

For more:
- check out this article at Forbes
- check out this article at Network World

Related Articles:
SCADA hack talk canceled on request by DHS, Siemens
Cyberattacks against critical infrastructure a constant occurrence
White House cyber proposal offers carrots for industry
More sunlight needed on network security discussion
Three data breaches that underscore human error