The Department of Homeland Security has notified the company responsible for a remotely exploitable chink in the armor of switches and network routers that maintain critical American infrastructure.
After learning from a researcher of the security flaw, the department's Industrial Control Systems Computer Emergency Response Team (ICS-CERT) asked Siemens, the parent company of device maker RuggedCom, to quickly resolve the issue.
Security researcher Justin Clarke from Cylance Inc. had made the news of the flaw public last week with a proof-of-concept demonstration.
In a security alert, ICS-CERT said Clarke's report showed that a hard-coded encryption key in RuggedCom's Rugged Operating System had been exploited remotely. The vulnerability "can be used to decrypt SSL traffic between an end user and a RuggedCom network device," ICS-CERT warned.
According to ComputerWorld, Homeland Security notified both Siemens, the conglomerate that acquired RuggedCom this year, and industrial network administrators, who took steps to make sure their control systems were not directly hooked up to the Internet and were shielded by firewalls.
This latest security flaw comes only two months after a security issue with a different product by RuggedCom, an Ontario, Canada-based company and the largest supplier of industrial-grade network and communication devices.
The company makes Ethernet switches, network and wireless routers, media converters, serial servers and other devices designed for a rugged and industrial environment. Its products are used by the military, in oil refineries, traffic control systems and in electrical substations and power plants.
Control systems security consultant Dale Peterson called RuggedCom's response to the last incident "terrible," according to a ComputerWorld report.
Peterson, chief executive of the consulting company Digital Bond, added that RuggedCom owes an explanation to its clients of how these issues arose and how it would keep faulty products off the market in the future. Such flaws put American lives at risk, he stated.
Siemens and RuggedCom said they are investigating the issue and working toward a resolution as soon as possible.