ICS-CERT Publishes Summary of Siemens PLC Vulnerabilities

Yesterday the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published a new advisory summarizing the currently available information about vulnerabilities identified in the Siemens SIMATIC S7 PLC product line. Much of the information in this Advisory has been made available in previous ICS-CERT Alerts. Two of the issues have not been publicly identified/acknowledged by ICS-CERT prior to this and details are still only available through limited distribution on the CERT Portal.

Vulnerabilities

The vulnerabilities have been placed into four general categories by ICS-CERT. Those categories are:

• Use of an open communication protocol (ISO-TSAP);

• Bypass of a password protection mechanism;

• Denial-of-service (DoS) attacks putting the PLC into the stop/defective state; and

• Access to embedded software within the PLC and hardcoded credentials.

The previously unidentified issues concern:

• Unauthorized disabling of a password protection mechanism (Confirmed in S7-1200 Patched PLCs; Unconfirmed in S7-200, S7-300 and S7-400)

• Denial-of-service (DoS) vulnerability in the Web server embedded in the PLC firmware (Confirmed in S7-1200 Patched)

To make matters more confusing ICS-CERT notes that there are other unconfirmed potential vulnerabilities that they are still looking at. The Advisory states:

“ICS-CERT is aware of reports of other potential vulnerabilities that are claimed to affect SIMATIC S7 PLCs. This information has not been coordinated directly with ICS-CERT or with Siemens. The available information relating to other potential vulnerabilities is being reviewed and evaluated by ICS-CERT and Siemens and, therefore, is not yet ready for public release.” (Page 7)

PLC/Network Access Required

ICS-CERT notes in this advisory that exploitation of the currently identified vulnerabilities requires “direct access to the PLC or access to the automation network to be successful” (page 4). While the Advisory never explicitly states this it does imply in the mitigation measures section that social engineering attacks could give an attacker the requisite access to the ‘automation network’. This should have been clearly stated in the Advisory since the current language gives the impression that the vulnerabilities discussed are relatively difficult exploit because of this access requirement.

Read Between the Lines

In my opinion one of the most important bits of cybersecurity information in this Advisory is found in the overview discussion on page 1. The relevant portion of that discussion is:

“A portion of the reported issues involve commands being transmitted using the International Organization for Standardization Transport Service Access Point (ISO-TSAP) protocol. According to ICS-CERT analysis, the ISO-TSAP protocol is functioning to specifications; however, authentication is not performed nor are payloads encrypted or obfuscated. Like ISO-TSAP, many protocols used in industrial control systems (ICSs) were designed with interoperability in mind and were intentionally designed without security features [emphasis added] to be as open as possible. As a result, improving ICS security may require extensive architectural changes, including the addition of built-in or layered-on techniques to enhance protocol security. Changes necessary to improve protocol security could negatively impact interoperability and performance.”

This clearly indicates that the current Siemens PLC issues are not limited to Siemens equipment. This is not new information. It has been discussed in a number of blogs, but this is the first time that I have seen this discussed in official sources. It would have been helpful if ICS-CERT had more specifically stated that essentially all PLC’s and numerous other ICS devices are affected by the underlying communications protocol issues.

ICS-CERT Publishes another Siemens Alert

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an alert for a vulnerability in the Siemens SIMATIC S7-200, S7-300, and S7-400 PLCs. ICS-CERT is reporting that this vulnerability is the same replay attack vulnerability that was included in the Dillon Beresford vulnerabilities identified in the S7-1200 SIMATIC PLCs. Actually this Alert provides more details about this particular vulnerability than did the earlier alert.

The replay vulnerability allows an attacker with access to the control system network to intercept the unencrypted password used in communications between the PLC and other control system elements. This could allow an attacker to make unauthorized changes to the PLC operation.

According to the Alert, ICS-CERT is working with Siemens to develop specific mitigation measures for this vulnerability and is recommending some generic security measures as an interim strategy for owners of these PLCs. Siemens has a document describing the vulnerability in these PLCs available on their web site.

This Alert comes at an inopportune time for Siemens. Last week at an automation conference Siemens had done a lot to convince the cyber security community that it had become more proactive in dealing with security issues. Then ICS-CERT published an Advisory Friday for a Siemens WinCC vulnerability and now this Alert, neither of which was addressed by Siemens last week at the Conference.

An interesting TWITTER conversation (See @digitalbond, @tofinosecurity, @mtoecker and @pjcoyle) had already developed this weekend about why Siemens had not announced the Friday vulnerability at the Conference that they knew would be reported by ICS-CERT the day after the conference ended. This Alert further calls into question Siemens commitment to openly discuss security issues with the ICS community and their customers.