Siemens PLC Analysis Report

Thursday, August 11, 2011 @ 06:08 PM gHale

By Gregory Hale
After a summer of problems plaguing the Siemens SIMATIC Step 7 (S7) Programmable Logic Controller (PLC) line, the automation giant is finally reacting and working toward a solution for its PLC issues.

In a report filed from the Industrial Control System Cyber Emergency Response Team (ICS-CERT), Siemens and the researcher that found all the issues, Dillon Beresford from NSS Labs, continue to work out the vulnerabilities.

Siemens Faces Music at Black Hat
Siemens PLC Vulnerability Update
Siemens PLC Security Alert
WinCC Vulnerabilities Patched

A portion of the issues involve commands transmitted from the Siemens SIMATIC Step 7 (S7) PLC line using the International Organization for Standardization Transport Service Access Point (ISO-TSAP) protocol.

The ISO-TSAP protocol is functioning to specifications, according to ICS-CERT analysis, but authentication is not performed nor are payloads encrypted or obfuscated. Like ISO-TSAP, protocols used in industrial control systems (ICSs) were designed with interoperability in mind and were intentionally designed without security features in an effort to be as open as possible, according to the ICS-CERT report. As a result, improving security may require extensive architectural changes, including the addition of built-in or layered-on techniques to enhance protocol security. Changes necessary to improve protocol security could negatively impact interoperability and performance, according to the ICS-CERT report.

The reported issues affect various models in the Siemens SIMATIC S7 product line, including:
• S7-200
• S7-300
• S7-400
• S7-1200.

All reported issues require the attacker to have direct access to the PLC or access to the automation network to be successful. Access to the automation network allows an attacker complete control of the PLC, with the ability to execute unauthorized commands and read/write memory on the PLC. These unauthorized changes can result in the loss of process control, possibly causing damage to critical ICSs.

“I am impressed with the thoroughness of work performed by Dillon Beresford at NSS Labs,” said Joel Langill, chief technology officer at security provider SCADAhacker. “He has not only shown the extensive vulnerabilities that exist outside of the traditional IT platforms like Windows boxes, but how easy these are to exploit without requiring significant knowledge of how these devices work.

“People close to ICS security should not be surprised that many of the protocols used within ICS architectures transmit information in cleartext. We also all realize that there is little in the way of authenticating the source of commands prior to their execution. What many may not be aware of is that there are technologies that exist today that can be installed to compensate for these weaknesses without sacrificing performance.

“I believe that the work of Beresford is just the beginning, and that no vendors are exempt from similar vulnerabilities. The majority of the control systems installed today, represent technology that is close to 10 years old. These systems represent a significant risk from a cyber attack, and hopefully the work of Beresford will be a call to action of owners and operators that these systems need to be assessed for their vulnerability exposure, mitigated with comprehensive defense-in-depth security controls, and continually monitored for their effectiveness.”

Siemens SIMATIC S7 PLCs see use in applications worldwide, including energy, water and wastewater, oil and gas, chemical, building automation, and manufacturing.

ICS-CERT categorized each of the reported issues into one of four general categories.
1. Use of an open communication protocol
This category relates to the use of an open protocol, ISO-TSAP, for communications. ISO-TSAP was not designed to be a secure protocol and is open to analysis. A PLC, its supporting engineering workstation software, and other tools are required to conduct this analysis. If the PLC is not configured with password protection, any command that can be sent from the engineering workstation can be captured, modified, and replayed to the PLC.

2. Bypass of a password protection mechanism
This category relates to the ability to bypass a password mechanism in place to prevent unauthorized access to commands and actions on the PLC.

3. Denial-of-service (DoS) attacks putting the PLC into the stop/defective state
This category relates to DoS attacks that put the PLC into a defective state. The DoS issues do not exist because of the open protocol specification but are the result of the implementation or usage of the protocol.

4. Access to embedded software within the PLC and hardcoded credentials
This category relates to access to software that Siemens has embedded into the PLC, generally to support troubleshooting and diagnostics of the PLC.

There are other reports of vulnerabilities, but neither Siemens nor ICS-CERT has confirmed them and has them under review, according to the ICS-CERT report.

Currently, one patch is available that addresses two of the reported issues that affect S7-1200 PLCs.

Because of the design decisions made in control system industry in the past to foster interoperability, it will not be possible to provide near-term patches for all the reported issues, the report said. In some cases, attempting to retrofit or patch these devices could break the communications required, potentially resulting in a loss of process control, the report said. For cases where patching is not possible, some near-term mitigations will be in the form of defense-in-depth practices until long-term architectural changes can be safely adopted, developed, and deployed.

Users of the Siemens SIMATIC S7 product line should consider employing all currently available mitigation strategies. These strategies include a patch developed by Siemens and other defensive measures to harden the automation network environment.

Siemens released a patch that addresses two of the reported issues in the S7-1200 PLC. ICS-CERT confirmed the patch successfully resolves the bypass of a PLC password protection algorithm and DoS vulnerability, as reported by the researcher, in the web server embedded in the PLC firmware.

Siemens’ Security Advisory and patch are available at the following locations.
Click here for the advisory.
Click here for the patch.

Users of any of the Siemens SIMATIC S7 PLCs should consider employing defensive measures to improve the security posture of their automation network, such as:
• Configure and maintain user and administrative accounts using a strong account management policy.
• Enable password protection where possible.
• Use strong passwords.
• Remove default accounts if unneeded. Change the password of default accounts that are needed.
• Disable all unused accounts.
• Configure an intrusion detection system (IDS) to monitor traffic for unusual or unauthorized activity.
• Monitor traffic on the ISO-TSAP protocol, Port 102/TCP.
• Monitor traffic being unexpectedly sent outside the automation network.
• Monitor traffic between workstations. This traffic may be indicative of attacker pivoting through your network.
• Use firewalls to manage communication to and within the automation network.
• Locate control system networks and remote devices behind firewalls and isolate them from the business network.
• Limit traffic on the automation network. Only allow necessary traffic from identified sources to communicate with the S7 PLCs.
• Allow only known and verified MAC addresses to communicate with appropriate resources on the automation network. For instance, do not permit a policy allowing any engineering workstation to communicate with all PLCs on the automation network.
• Block telnet and http traffic to PLCs even inside ICS network.
• Block SSL traffic into the automation network except what is required for proper operation. This action limits SSL tunneling.
• Manage workstations and other devices on the automation network.
• Enforce least-privilege user accounts. Do not grant permissions that are beyond what is needed to perform required actions.
• Use application whitelisting protection on engineering and operator workstations.
• Use virus protection on workstations. Ensure the latest virus signature updates are deployed.
• Patch the Operating System and other software running on the workstation.
• If IDS or IPS devices are utilized on the control system network, consider adding a rule to watch for the string “Basisk.”
• Take measures to prevent social engineering attacks.
• Do not click web links or open unsolicited attachments in email messages.

One Response to “Siemens PLC Analysis Report”

  1. […] Siemens PLC Analysis report (Greg Hale ISS Source 11/8/2011) […]

Leave a Reply

You must be logged in to post a comment.