Siemens emphasized that the SIMATIC S7 advisory is unrelated to the Stuxnet worm, which sent shockwaves through the security world in 2010 when it took down computers at an Iranian nuclear facility.
"There's some confusion out there," a Siemens spokesman says. "The Stuxnet worm only affected our WinCC SCADA system running on Microsoft operating systems. That was almost a year ago. We issued a patch that is able to detect and remove Stuxnet."
The newly issued advisory specifically addresses the S7-200, S7-1200, S7-300, and S7-400 SIMATIC controllers. "The potential exists for an attacker with access to the product or the control system communication link, to intercept and decipher the product's password and potentially make unauthorized changes to the product's operation," Siemens said in a statement.
To prevent such hacks, Siemens hasn't issued a patch, but rather a list of preventative measures. "We're providing recommendations for plant managers to keep their networks secure by engaging in good practices such as changing passwords and having network firewalls," the Siemens spokesman says.Industrial awareness
Any security warning, even a proactive advisory like new one from Siemens, is sure to spark discussion and even a bit of confusion. Some of the online stories discussing the S7 advisory seem to conflate it with Stuxnet.
That's perhaps understandable, given the complex history as well as the far-reaching significance of Stuxnet. In its first incarnation in mid-2010, Stuxnet targeted Siemens controllers at the Natanz plant, where Iran was using the controllers to run nuclear centrifuges with which it was attempted to purify weapons-grade uranium.
However, the significance of Stuxnet extends far beyond Siemens controllers, or any single vendor's product family. Stuxnet is considered among the most devastating and sophisticated hacks ever created. That's because it has the ability to migrate undetected from computer to computer across wide-ranging networks.
Natanz was a high-profile target, and the average factory is not. However, the attack demonstrated that the average industrial plant was vulnerable, too. The upshot is that the Natanz attack broadened security fears beyond the traditional venues of e-commerce and information technology and into the industrial arena. Engineers and plant operators using automation and process control equipment to run their factories had previously been generally unconcerned with security. It's not that they considered plants invulnerable, but rather they assumed that they weren't a target of hacker attacks.
Now, they're not so sure. At last week's 2011 Siemens Automation Summit, there was a session on Stuxnet, and the buzz about security was more intense than I'd heard at any previous industrially oriented conference.
Security will continue to be on design engineers' agendas going forward. Worms like Stuxnet aren't going away; they're expected to remain potent weapons in the arsenal of cyberterrorists. Vendor-specific vulnerabilities are also gaining increased attention from researchers. At the upcoming Black Hat conference in Las Vegas on August 3, independent security analyst Dillion Beresford is giving a presentation on PROFINET communication-related vulnerabilities that could affect the SIMATIC S7 PLCs.
As for Siemens, its spokesman says it will continue to make security a priority: "Security awareness is a good thing, and we want to make sure our products have the most security they can and the highest degree of resilience."