In yet more news out of the already ravaged Heartbleed front, Siemens has released a series of patches for vital SCADA hardware including pieces installed at major nuclear facilities and hydroelectric dams.
This just goes to show that even if you establish a massive, dragnet-style machine to suck up every bit of data that comes from or goes to any computer on earth, all it takes is a couple defunct lines of code to completely invalidate hundreds of billions of dollars worth of defense spending in an instant.
The vendor also says it’s working on patches for:
S7-1500 version 1.5 – The Simatic PLC is vulnerable when HTTPS is enabled. Mitigation includes disabling the web server, limiting access to trusted networks, and removing the certificate from the browser;
CP1543-1 version 1.1 – The industrial Ethernet communication processor is vulnerable when FTPS (FTP with SSL) is enabled. Mitigation includes disabling FTPS, restricting FTPS access to the trusted network, and/or accessing FTPS over a VPN tunnel;
APE 2.0 – This application environment is vulnerable if SSL/TLS is in use.
When applied to the world of industrialized systems like those affected here, bugs like Heartbleed pose a significantly greater threat than what you might find from your average exploit.
Much of the NSA’s message since the leaks has focused on how necessary their services are to “protect the infrastructure of the nation”, yet here we are just a few weeks after Heartbleed first hit the scene and already they’ve dropped the ball on their own big toe when it comes to warding off any threats which could affect the delicate balance that is maintained on our national power grid.