Siemens PLC Security Vulnerabilities

Thursday, June 9, 2011 @ 07:06 PM gHale


Editor’s Note: Eric Byres, chief technology officer at Byres Security, is keeping an eye on vulnerabilities on the Siemens S7 PLC product. The following is an excerpt from his blog.

By Eric Byres
Dillon Beresford at NSS Labs discovered between four and six serious vulnerabilities in the Siemens S7 PLC product and that has created concern for critical asset owners.

Beresford claims even though the attacks were developed on an S7-1200, other models of the S7 are also vulnerable. Siemens says otherwise, stating “The S7-300 and S7-400 controllers are not affected by the denial-of-service scenario, so there is no need for any firmware update with these controllers.” And NSS Labs state that “There is a possibility that PLCs from other vendors are similarly affected.”

The contradictions don’t stop there. In an interview, Beresford said, “They’re very easy to exploit. As long as you have access to [a PLC’s] network you will be able to exploit them.”

Meanwhile Siemens said, “While NSS Labs has demonstrated a high level of professional integrity by providing Siemens access to its data, these vulnerabilities were discovered while working under special laboratory conditions with unlimited access to protocols and controllers…”

NSS now promises to share the whole story at the Black Hat Conference, which runs August 2-3 in Las Vegas. And Siemens is promising patches possibly as early as next week.

Until more data comes out, here are a few “facts” from the various Siemens and NSS notices. Based on those facts, here are a few guesses and comments:

1. FACT: The exploits were developed against the S7-1200 PLC, which is not the same as the S7-300 and S7-400 PLC lines. The S7-1200 is a micro-PLC that is more common in machine and skid control and unusual in large critical processes.

2. FACT: At least one of the exploits is a Denial of Service (DoS) attack against S7-1200 PLC, via its integrated web server.

3. GUESS: It is unlikely that this particular exploit is transferable to the S7-300 and S7-400 products. It might affect other vendors’ PLC products if the web server firmware is based on commercially available software. As I noted in another one of my blogs, PLC Security Risk: Controller Operating Systems, many ICS vendors purchase operating system and communications firmware components from 3rd party suppliers. These suppliers sell to many ICS product vendors, resulting in vulnerabilities that go beyond a single vendor.

4. COMMENT: In some respects, this vulnerability is no surprise, but it is also a sad comment on the state of PLC product security testing. Vulnerabilities in embedded web servers in controllers are legendary and often trivial to find. The S7-1200 was released less than two years ago and Siemens should have been testing for this sort of issue in their design and QA processes in a new product like this.

5. FACT: Another of the vulnerabilities is a replay attack against S7-1200 PLC, using previously captured network traffic.

6. GUESS: This is probably a design flaw in the message authentication (aka password) mechanism in the PLC. The programming messages are checked by the PLC to make sure they are for that PLC, but not if they are current messages. This means an attacker can capture valid messages, such as a PLC stop command, and then replay it at a later time when it suits his or her nefarious purposes.

7. COMMENT: This vulnerability may extend to other S7 PLCs, as it is probably a design flaw and not a programming flaw. Notice Siemens is very careful in their wording on what products are affected – “The S7-300 and S7-400 controllers are not affected by the denial-of-service scenario.” They fail to mention this replay vulnerability.

8. GUESS: Based on the shopping list of possible consequences listed by NSS, the other vulnerabilities are likely due to the fact that the protocol the S7-1200 uses to communicate to HMIs is a clear text protocol. This is certainly not news in the ICS world – virtually every ICS/SCADA protocol used today is clear text.

9. COMMENT: Chances are that all these vulnerabilities are not difficult to find or exploit and more are waiting for the next researcher. Despite Siemens’ comments, I really doubt Beresford had “special laboratory conditions” with “unlimited access to the protocols”. Anyone can purchase a S7-1200 for a few hundred dollars and most of the tools are free.

So what does this all mean for the SCADA and ICS industry? What does it mean for ICS professional’s responsible for the control system in a critical industrial plant? I will discuss both next.

Click here for a complete version of Byres’ blog.



Leave a Reply

You must be logged in to post a comment.