torsdag den 7. juli 2011

Hvad er værst: Inkompetence eller bedrag?

Man skal åbenbart bare være stor nok, så kan man slippe let hen over at informere om sådanne emner...

Yesterday Dillon Beresford announced and ICS-CERT confirmed that the Siemens’ S7-200, S7-300 and S7-400 families of PLC’s suffered from the same replay vulnerability as the S7-1200. Siemens had not announced this even though they have had the information for over two months now and had an opportunity to discuss the issue directly with customers last week at the Automation Summit.

There are only two bad choices why Siemens failed to disclose this to their customers:
  • Incompetence: Siemens top security talent and engineers were unable to figure out that the replay attack on the S7-1200 did in fact work against the other S7 PLC’s. The big boys that are used in more critical systems. Dillon Beresford was able to confirm this in less than a week, in off hours/spare time, once he got his hands on a S7-300.
  • Deception: Siemens knew this very early and chose not to tell their customers. Most importantly they chose to deceive their customers last week at the Automation Summit with lies of omission and by making forceful statements that all of the S7-1200 vulnerabilities had been patched.
Unlike Stuxnet where evidence points to incompetence or at best ignorant bliss, this case was almost surely deception. And it worked for at least a week as Automation Summit attendees where singing the praises of Siemens new commitment to security.
Læs hele artiklen her: