Sunday, July 24, 2011

ICS-CERT Publishes Saturday Alert for Siemens PLCs

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an alert for the Siemens S7-300 and S7-400 PLC’s. There is not much information in the alert (which is not unusual, if more information was available and or ICS-CERT was able to confirm the details it would have been published as an ‘advisory’). The core information of the alert is found in two sentences:

“On July 23, 2011 an independent security researcher publicly announced a vulnerability affecting the Siemens S7-300 and S7-400 PLCs. The researcher claims that he was able to achieve a command shell using credentials he was able to acquire from the PLC.”
As of the publication of the alert yesterday, no body was officially confirming or denying the existence of the reported vulnerability. This isn’t surprising with the underlying information being made public on Saturday.

It looks like the disclosure was made in a TWEET® by Dillon Beresford on Saturday. He posted:

“All S7-300/400s contain a hard coded password as I suspected, I decrypted the firmware image and located the password. We have a shell! WEWT”
It’s not clear yet if this ‘hard coded’ credential (its hard to accept the concept of a hard wired ‘password’) is a substantial part of the security measures that Siemens recently claimed protected these two PLC series from Stuxing. If it is, Siemens severely underestimated the ability and determination of security researchers (of both hat colors).

It will be interesting to see how Siemens deals with this tomorrow.

No comments:

/* Use this with templates/template-twocol.html */