The US government had confirmed it is looking into claims of a serious flaw in Siemens’ networking equipment that could leave customers vulnerable to hacks.
The claims were made by security researcher Justin Clarke, who was speaking at a conference in Los Angeles. He claimed that a flaw in equipment from RuggedCom, a Siemens subsidiary, could allow hackers to decrypt traffic between the network device and the customer.
RuggedCom’s equipment is widely used in the power and energy sector.
According to the BBC, Clarke claimed RuggedCom uses a single key to decode the encrypted data moving across the network. He had found a way to extract that key, he said, giving him full access to the data.
"If you can get to the inside, there is almost no authentication, there are almost no checks and balances to stop you," Clarke is reported to have said.
Now the US Department of Homeland Security has said it will investigate the claims. In a security bulletin, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), said: "According to this report, the vulnerability can be used to decrypt SSL traffic between an end user and a RuggedCom network device. ICS-CERT notified the affected vendor of the report and asked the vendor to confirm the vulnerability and identify mitigations."
ICS-CERT suggests companies using this equipment should ensure that any control system device is not directly connected to the internet and that anything sensitive should be placed behind a firewall. Remote access should also be through a VPN, it added. That is of course sensible advice for any business to take.
Siemens sent a short statement to CBR saying they are looking into the allegations. "Specialists from Siemens and RuggedCom are investigating this issue and will provide information updates as soon as they become available," it said.
Cyber attacks on critical national infrastructure are a growing problem for many countries. The Middle East has been particularly badly hit, with Stuxnet, Duqu and Flame all striking recently.
There have been no reported cases of damage being done to US infrastructure yet, but the US government is certainly taking the treat seriously.
It was recently revealed that president Barack Obama was considering ordering companies that are part of the nation’s critical infrastructure to improve their cyber security skills, after US Congress failed to pass a bill that would have seen voluntary cyber security standards implemented.