This morning the DHS ICS-CERT published another advisory for twin vulnerabilities in the Siemens SIMATIC STEP 7 TIA Portal. Each advisory was separately discovered by Quarkslab team and Dmitry Sklyarov with PT-Security. Siemens has produced a patch to mitigate the vulnerabilities, but there is no indication that either research team has been given the opportunity to verify the efficacy of the patch.
The two vulnerabilities are:
● Man-in-the Middle vulnerability - CVE-2015-1601; and
● Use of password with insufficient computational effort - CVE-2015-1602
ICS-CERT reports that it would be moderately difficult to construct a workable exploit for these two vulnerabilities. Siemens reports that access to the network path between client and server would be required for the first vulnerability and access to TIA project files would be required for the second.
At some point we have to wonder why we are seeing so many Siemens advisories. In many cases (but certainly not even most) the answer is self-reporting and that is a mark of a current commitment to security. But sooooo many vulnerabilities, surely that is the sign of a basic problem?
Yes, there were certainly problems with the way that most of these programs were originally written. The mistakes we are seeing seem so basic now, but that is because we have been seeing them throughout the industry for the last few years. Siemens is not paying for the mistakes that they and most of the rest of the industry made back when security was a ‘non-issue’ because control systems were air gapped and so hard to understand.
Siemens is now facing much the same problem that Micrsoft faced twenty years ago. Because of their size, familiarity and availability, researchers around the world are taking a hard look at Siemens products, knowing that they are going to find vulnerabilities. It many not be quite shooting fish in a barrel, but it is certainly fishing in a freshly stocked pond.
Many of these researchers are going to start to move on to the other suppliers in the field using the skills they honed on working on Siemens gear. There will be more advisories for other vendors and people will laugh at how easy they were to find; unless the other vendors internalize the searches and fix them before the researchers find them.
And the Siemens advisories will continue. Siemens makes ever more complex products; with more and more capabilities. Mistakes will be made. More importantly researchers (of whatever hat color) are also getting more and more sophisticated. They will find new types of vulnerabilities that we have not even thought about yet. Security designers and researchers will continue to be locked in a war of improving capabilities. And we users; we will be better for it.