It was announced today that CyMoTrol, a German manufacturer
of industrial motor controllers, had filed a libel and slander suit against
ECS-CERT for information included in a recent control system cybersecurity
alert published by the agency. They are asking for treble damages and punitive
damages for publicly disparaging the cybersecurity measures used to protect
their motor controllers. The suit also demands that ECS-CERT disclose the
identity of the anonymous researcher, cYbrg0D, named in the Alert as the
researcher who identified the multiple vulnerabilities so that charges of theft
of intellectual property, unlawful access, and industrial espionage can filed
on that individual.
Wilhelm Pieck, spokesperson for CyMoTrol, said that last
week’s alert published by ECS-CERT contained out right lies, fabrications and
mischaracterization of device features that had already led to one customer
canceling a large order for the CyMo One motor controllers mentioned in the
Alert and calls from many irate customers. “ECS-CERT never talked with us about
the supposed vulnerabilities,” Pieck told reporters; “If they had we would have
explained that the supposed vulnerabilities were carefully controlled features
of the devices that improved service and increased production reliability when
used in a properly protected industrial environment.”
Immanuel C. Securitage, spokesperson for ECS-CERT refused to
talk about the pending litigation. He did, however, explain that the agency
stood behind the information in the Alert. “Based upon extensive information
provided by cYbrg0D, we stand behind the identification of the three
vulnerabilities outlined in our Alert,” Securitage told reporters; “And we
continue to suggest that device owners face the potential consequences we
described for a potential exploit of those vulnerabilities in a production
environment.”
Shortly after the announcement of the law suit became public
cYbrg0D tweeted “CyMoTrol has hard coded backdoors in all of their products and
software includes phone-home code to provide info to manufacturer.”
When asked about the TWEET® Pieck said “CyMoTrol maintains
remote access capabilities in their products for maintenance purposes as part
of our customer service program. This includes device reporting of anomalous
conditions. These are carefully controlled processes and are an integral part
of the service we sell. They are not vulnerabilities and do not provide access
to the devices to anyone outside of our organization.”
CAUTIONARY NOTE: This is a future news
story –