The Siemens Twitter® feed has been touting the benefits of the newest member of the S7 PLC family the S7-1500. A recent Tweet noted that “S7-1500 provides a security concept that protects investments & contributes to higher plant availability”. It is nice to see that Siemens is actively advertising security in this new product, but a closer look will be needed to see how well Siemens is actually doing with its security work.
Siemens Security Claims
The nice color glossy brochure available through the Siemens web site (but not actually on the site, kind of odd) dedicates a full page (page 4) to the security measures included in the device and the associated TIA portal. It mentions four specific security features:
• Know-how protection;
• Copy protection;
• Access protection; and
• Manipulation protection.
Given the brief explanation provided (it is after all an advertising brochure) it appears that the first two features are principally designed to protect the intellectual property of the user, while the last two are more directed at cybersecurity and protection of the connected process from outside manipulation.
The access protection claims are supposed to protect “against unauthorized project-planning changes”. They include allocation of “rights” to various users based upon permission levels and communications protections via an integrated firewall (in the CP 1543-1). There is no mention of how user identification is assured (passwords? Key authentication? Biometrics?). The issue of command/information encryption is also not addressed.
The discussion of ‘manipulation protection’ is even vaguer. It notes:
“The system protects the data being transmitted to the controller from unauthorized manipulation. The controller recognizes the transmission of engineering data that has been changed or comes from a strange source.”
There is no mention of how that data is protected (one would like to assume encryption) or how ‘changed engineering data’ is recognized. Again this is an advertising brochure, not an engineering document, but one would like to see a little more meat on this very thin bone.
Siemens is certainly making the effort to talk-the-talk, but we have a ways to go to see how well they are walking-the-walk. We have already seen multiple vulnerabilities (here and here) reported in their TIA Portal; the large group of vulnerabilities seems to have been fixed promptly. The second (and older) vulnerability has just been addressed with a work around (keep it disabled when not in actual use?), apparently no actual fix is planned.
I would be much happier with the Siemens security commitment if I had heard that they had provided some devices to some well-known security researchers to check for vulnerabilities. If Rios & McCorkle, Beresford, Toecker, or Langer (to name just a few of the qualified candidates) were given a chance to have a go at the new product and found nothing, I would be very impressed with the change in engineering at Siemens. If they did find something wrong (and I suspect that all ICS equipment will have readily findable faults for the near term), but the vulnerabilities were rapidly fixed, I would still be impressed. Hell, just making the devices available would impress me.
As it is, time will tell how well Siemens is executing the security responsibility that they are beginning to take seriously in their advertising.