Federal government will need to take to unsafe industrial plants

Alliance ’90 / The Greens, the federal government asked a parliamentary question, to assess the risk situation for vulnerable on the Internet industrial plants. Furthermore, the Group would like to know what measures would be appropriate from the perspective of the government to take the manufacturer of the equipment in the future a greater commitment. The federal government has a legal obligation to reply to the request within two weeks, or to request a time extension.

scada industrial plant

In her consists of 16 individual questions Inquiry, MEPs called on the dealer’s up from Heise Security vulnerability in control systems of the Honeywell Group belonging manufacturer Saia-Burgess. A central point of inquiry is the provider liability. “Manufacturers of hardware and software are under a steady pressure on costs only if the provider also bear the risk of liability for the possible consequences of the security deficiencies of their products, there would be a real incentive secure solutions to develop and realized resolve problems quickly, “the parliamentarian Konstantin von Notz said in an interview with Heise Security.

The Greens want to get answers to the questions, what steps have taken just security in the specific case, the Federal Office for Information Security (BSI) and other authorities, when and how the operators of the facilities concerned have been informed and whether the gap now Fixed.

Through the gap could be Europe remotely over 1,000 industrial installations that were inadequately protected connected to the Internet – and there are some still. Among them were several district heating power stations, the locking system of a football stadium, the heating system of a Hessian Penitentiary and the heat process control of a brewery. In addition, about 300 Vaillant heating for single-family homes were affected, which are also controlled by Saia-Burgess Controls.

Although in February switched by Heise Security BSI classified the vulnerability as critical and the manufacturer of the controller for rapid remedial calling, to date, no update for the affected PCD controller is available. Back in April, so moved the heating manufacturer Vaillant the ripcord and informed its customers that the type EcoPower 1.0 built into the power-generating heating controller must be separated immediately by pulling the network plug from the Internet.

The controller manufacturer Saia-Burgess, however, has warned the operators of power plants and other essential infrastructure only a few days before the long fixed release date of the article danger in the power plant. Regardless of the operators mentioned in the article facilities were informed by Heise Security in advance.

Saia-Burgess operates according to own data still at full speed on a security update. On an exact release date, the company has to Heise Security, however, has not yet been set. But if “the development continued to be successful,” the critical security patch can likely be released this month. In the meantime, the company has at least a guide “for the safe use of PCD controllers” that are connected to the Internet published.

Against the backdrop of nearly a half a year gaping flaw raised by the parliamentary party question whether “the federal government statutory changes in the distribution of responsibility” deems appropriate, justified.