The security researcher who last week voluntarily canceled a talk on critical vulnerabilities in Siemens' industrial control systems took the German giant to task Monday for downplaying the problem.
Dillon Beresford, a researcher with NSS Labs, took exception to Siemens' claim that the vulnerabilities he and colleague Brian Meixell uncovered had been discovered "while working under special laboratory conditions with unlimited access to protocols and controllers."
"There were no 'special laboratory conditions' with 'unlimited access to the protocols.' My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory," said Beresford in a message posted on a public security mailing list. "[And] I purchased the controllers with money my company so graciously provided me with."
While Siemens promised last week that it would patch the bugs, it downplayed the threat to its industrial control systems, and the thousands of companies that rely on Siemens' PLC (programmable logic control) systems, argued Beresford.
"It's very discouraging...when a vendor tries to minimize the impact of a critical issue for the purpose of saving face in the public," Beresford said in a follow-up message on the SCADASEC mailing list. "It sends out the wrong message to people who are trying to do the right thing."
Industrial control systems like Siemens' monitor and manage everything from oil drilling rig equipment and power plant operations to skyscraper elevators and high-speed trains in Japan.
Dubbed SCADA for "supervisory control and data acquisition," the systems and their security have been under intense scrutiny since the Stuxnet worm was discovered almost a year ago. Stuxnet, a worm that some experts have called "groundbreaking," is believed to have been built to sabotage Iran's nuclear program, particularly the gas centrifuges the country uses to enrich uranium.
Stuxnet was the first in-the-wild worm that attacked SCADA systems.
Rick Moy, the CEO of NSS Labs, and Beresford's boss, backed up his researcher in an interview Monday.
"Siemens chose to use language that's vague and misleading," said Moy of Siemens' statement last week where it implied that the flaws would be very difficult to exploit. "They tried to downplay the impact to their customers. That's what was concerning to us."
Beresford and Meixell pulled their presentation on their own accord after consulting with Siemens and the U.S. Department of Homeland Security (DHS), who expressed concerns about potential use of the information by hackers.
But Moy said Siemens' customers deserve to know more.
Sign up for CIO Asia eNewsletters.