Friday, August 12, 2011

ICS-CERT Publishes Summary of Siemens PLC Vulnerabilities

Yesterday the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published a new advisory summarizing the currently available information about vulnerabilities identified in the Siemens SIMATIC S7 PLC product line. Much of the information in this Advisory has been made available in previous ICS-CERT Alerts. Two of the issues have not been publicly identified/acknowledged by ICS-CERT prior to this and details are still only available through limited distribution on the CERT Portal.


The vulnerabilities have been placed into four general categories by ICS-CERT. Those categories are:

• Use of an open communication protocol (ISO-TSAP);

• Bypass of a password protection mechanism;

• Denial-of-service (DoS) attacks putting the PLC into the stop/defective state; and

• Access to embedded software within the PLC and hardcoded credentials.

The previously unidentified issues concern:

• Unauthorized disabling of a password protection mechanism (Confirmed in S7-1200 Patched PLCs; Unconfirmed in S7-200, S7-300 and S7-400)

• Denial-of-service (DoS) vulnerability in the Web server embedded in the PLC firmware (Confirmed in S7-1200 Patched)

To make matters more confusing ICS-CERT notes that there are other unconfirmed potential vulnerabilities that they are still looking at. The Advisory states:

“ICS-CERT is aware of reports of other potential vulnerabilities that are claimed to affect SIMATIC S7 PLCs. This information has not been coordinated directly with ICS-CERT or with Siemens. The available information relating to other potential vulnerabilities is being reviewed and evaluated by ICS-CERT and Siemens and, therefore, is not yet ready for public release.” (Page 7)

PLC/Network Access Required

ICS-CERT notes in this advisory that exploitation of the currently identified vulnerabilities requires “direct access to the PLC or access to the automation network to be successful” (page 4). While the Advisory never explicitly states this it does imply in the mitigation measures section that social engineering attacks could give an attacker the requisite access to the ‘automation network’. This should have been clearly stated in the Advisory since the current language gives the impression that the vulnerabilities discussed are relatively difficult exploit because of this access requirement.

Read Between the Lines

In my opinion one of the most important bits of cybersecurity information in this Advisory is found in the overview discussion on page 1. The relevant portion of that discussion is:

“A portion of the reported issues involve commands being transmitted using the International Organization for Standardization Transport Service Access Point (ISO-TSAP) protocol. According to ICS-CERT analysis, the ISO-TSAP protocol is functioning to specifications; however, authentication is not performed nor are payloads encrypted or obfuscated. Like ISO-TSAP, many protocols used in industrial control systems (ICSs) were designed with interoperability in mind and were intentionally designed without security features [emphasis added] to be as open as possible. As a result, improving ICS security may require extensive architectural changes, including the addition of built-in or layered-on techniques to enhance protocol security. Changes necessary to improve protocol security could negatively impact interoperability and performance.”

This clearly indicates that the current Siemens PLC issues are not limited to Siemens equipment. This is not new information. It has been discussed in a number of blogs, but this is the first time that I have seen this discussed in official sources. It would have been helpful if ICS-CERT had more specifically stated that essentially all PLC’s and numerous other ICS devices are affected by the underlying communications protocol issues.

No comments:

/* Use this with templates/template-twocol.html */