Siemens issued a Chinese version of the vulnerability description later than 13 days in English
2023-10-28 13:40:08
Siemens (China) responded yesterday to the loophole in the industrial control system (June 9).
Duan Wei, the person in charge of the media, stated that the Chinese version of Siemens' vulnerability-related product descriptions has been placed on the Siemens (China) Industrial Automation and Drives Program website. Many users of Siemens will browse this website and should be able to see the relevant information.
According to Siemens (China) official website information, the firmware update of the vulnerability product S7-1200 will be provided in June. The firmware update will provide remediation measures. This firmware enhances protection against replay attacks and enhances the stability of the S7-1200 in the face of the above denial of service attacks.
However, the reporter found that the publication of this information was 13 days later than the English version.
Siemens said that it has not received any inquiry so far. On June 1st, the reporter sent an outline of interviews to Siemens (China) asking about whether there are loopholes, what measures Siemens will take and whether it will prompt Chinese users. In the reply received the next day, Siemens (China) did not give a positive reply on whether it would give consumers safety tips.
Afterwards, the reporter called Siemens (China) again. The reporter received a reply from Siemens (China) last night.
Siemens (China) stated in its reply that so far, they have not received any customer's question on this issue. Network attacks can only occur under the following extreme conditions: the intruder must be at the factory site or have arbitrary access to the production network. Even with a cyber attack, the reaction of the CPUS7-1200 will be to switch to a stop/failure state and place the automation process in a safe mode.
Duan Wei said that Siemens (China) has not received any questions or inquiries from customers. Under the reporter's inquiries, Duan Wei also said that if it is really necessary, Chinese users may be prompted.
Before receiving an official reply from Siemens, an industrial control automation training organization provided the reporter with a training engineer's phone. The reporter consulted the automation engineer in the name of the potential consumer. The engineer said that he had received many consultation calls. If you do not connect to Ethernet, there should be no problem with the product.
The explanation of 13 days late stated that Siemens (China) stated that it has put the Chinese version of the relevant materials on the official website. Customers can see the relevant contents of the loopholes through their websites.
However, the reporter found that Siemens announced the release of this incident on May 26. In a reply to the reporter by Siemens (China) on June 2, the head of the media also said that there was no Chinese version. The release time of the Chinese version of Siemens China's official website was marked as June 8th, 13 days later than the foreign country.
Siemens has not responded to the product's loopholes, and Yu Tianyu, a technical spokesperson for Antiy Labs, expressed that he did not understand it. He said that once there are loopholes, companies such as Microsoft will take various measures to notify users. For example, through professional media and subscription e-mail notifications, a product vulnerabilities briefing session is held at a specific time every month.
Miao Yuyu also believes that Siemens (China) currently offers online solutions, but industrial systems are rarely connected to the Internet, and there is still a part of Siemens products that cannot be solved, such as buildings and marine equipment. Implement online upgrades.
Li Jiancheng lawyer said that the purchase of Siemens products, the two sides established a trading relationship, should be in accordance with the relevant provisions of the "Contract Law". According to the "Contract Law", the purchased product must be safe and secure, unless it is due to the fact that the technology cannot be objectively eliminated, or it must be notified to consumers promptly. Otherwise, if Chinese companies suffer losses as a result, they have the right to claim compensation from Siemens.
Duan Wei, the person in charge of the media, stated that the Chinese version of Siemens' vulnerability-related product descriptions has been placed on the Siemens (China) Industrial Automation and Drives Program website. Many users of Siemens will browse this website and should be able to see the relevant information.
According to Siemens (China) official website information, the firmware update of the vulnerability product S7-1200 will be provided in June. The firmware update will provide remediation measures. This firmware enhances protection against replay attacks and enhances the stability of the S7-1200 in the face of the above denial of service attacks.
However, the reporter found that the publication of this information was 13 days later than the English version.
Siemens said that it has not received any inquiry so far. On June 1st, the reporter sent an outline of interviews to Siemens (China) asking about whether there are loopholes, what measures Siemens will take and whether it will prompt Chinese users. In the reply received the next day, Siemens (China) did not give a positive reply on whether it would give consumers safety tips.
Afterwards, the reporter called Siemens (China) again. The reporter received a reply from Siemens (China) last night.
Siemens (China) stated in its reply that so far, they have not received any customer's question on this issue. Network attacks can only occur under the following extreme conditions: the intruder must be at the factory site or have arbitrary access to the production network. Even with a cyber attack, the reaction of the CPUS7-1200 will be to switch to a stop/failure state and place the automation process in a safe mode.
Duan Wei said that Siemens (China) has not received any questions or inquiries from customers. Under the reporter's inquiries, Duan Wei also said that if it is really necessary, Chinese users may be prompted.
Before receiving an official reply from Siemens, an industrial control automation training organization provided the reporter with a training engineer's phone. The reporter consulted the automation engineer in the name of the potential consumer. The engineer said that he had received many consultation calls. If you do not connect to Ethernet, there should be no problem with the product.
The explanation of 13 days late stated that Siemens (China) stated that it has put the Chinese version of the relevant materials on the official website. Customers can see the relevant contents of the loopholes through their websites.
However, the reporter found that Siemens announced the release of this incident on May 26. In a reply to the reporter by Siemens (China) on June 2, the head of the media also said that there was no Chinese version. The release time of the Chinese version of Siemens China's official website was marked as June 8th, 13 days later than the foreign country.
Siemens has not responded to the product's loopholes, and Yu Tianyu, a technical spokesperson for Antiy Labs, expressed that he did not understand it. He said that once there are loopholes, companies such as Microsoft will take various measures to notify users. For example, through professional media and subscription e-mail notifications, a product vulnerabilities briefing session is held at a specific time every month.
Miao Yuyu also believes that Siemens (China) currently offers online solutions, but industrial systems are rarely connected to the Internet, and there is still a part of Siemens products that cannot be solved, such as buildings and marine equipment. Implement online upgrades.
Li Jiancheng lawyer said that the purchase of Siemens products, the two sides established a trading relationship, should be in accordance with the relevant provisions of the "Contract Law". According to the "Contract Law", the purchased product must be safe and secure, unless it is due to the fact that the technology cannot be objectively eliminated, or it must be notified to consumers promptly. Otherwise, if Chinese companies suffer losses as a result, they have the right to claim compensation from Siemens.
Planetary Gear Reducer ,Planetary Reducer,Planetary Gear Reduction,Planetary Speed Reducer
Ningbo CCMS Industrial Co. Ltd , https://www.cncoemmachiningparts.com