Siemens PLC Security Alert

Wednesday, July 6, 2011 @ 04:07 PM gHale

By Gregory Hale
There is a potential security weakness in the programming and configuration client software authentication mechanism used by the Siemens SIMATIC S7 family of programmable controllers, including the S7-200, S7-300, S7-400, and the S7-1200, Siemens officials said.

The potential exists for an attacker with access to the product or the control system communication link, to intercept and decipher the product’s password and potentially make unauthorized changes to the product’s operation.

Summit: For End Users Security 101
Summit: Analyzing Stuxnet with Siemens
Summit: Stuxnet a Turning Point
Summit: Prepare for All Types of Attacks
Summit: Get Grounded; No Hysteria

ICS-CERT is continuing to coordinate with Siemens concerning vulnerabilities affecting Siemens SIMATIC Programmable Logic Controllers (PLCs).

“Those involved in security control systems have been aware for some time of the weaknesses associated with privacy of data within the protocols used for control systems,” said Joel Langill, chief technology officer at SCADAhacker. “Many people have chosen to take the approach that if they can protect logical access to the network, that this is not a threat with significant probability. As we have seen with targeted attacks like Stuxnet and Night Dragon, it is not all that difficult to gain logical access to the control system networks once you have successfully gained access to the business or enterprise network. Once this is done, it is rather straightforward to perform further reconnaissance that leads to complete system ownership.

“I believe that Siemens is aware of this problem, which is why they are working on a new line of communication processors that will allow these legacy, industry standard protocols to remain, while offering new methods of data encryption that will protect the privacy of this data while it traverses a rather insecure and vulnerable network architecture.”

You can click here for updates and recommendations.

Potential threat scenarios could include unauthorized attempts by wiretapping and manipulation to decipher product passwords. This requires circumvention of the usual industrial security measures and an unrestricted access to the automation network.

In May, security researcher Dillon Beresford of NSS Labs reported multiple vulnerabilities to ICS-CERT that affect the Siemens Simatic S7-1200 micro PLC as reported in ICS-CERT Alert 11-161-01. The replay attack vulnerabilities affecting the S7-1200 also have undergone verification to show they affect the SIMATIC S7-200, S7-300, and S7-400 PLCs. Siemens PLCs configured with password protection are still susceptible to a replay attack.

Commands between the affected PLCs and other devices transmit using the International Organization for Standardization Transport Service Access Point (ISO-TSAP) protocol.

The ISO-TSAP protocol is functioning to specifications; however, there is no authentication or payloads encrypted or obfuscated, according to ICS-CERT analysis. Like ISO-TSAP, the intent for quite a few protocols used in industrial control systems were to be open and without security features.

An attacker with access to the PLC or the automation network could intercept the PLC password and make unauthorized changes to the PLC operation.

“I hope that everyone understands that this is not a problem limited to Siemens and their technologies, but faces most vendors supplying automation equipment today,” Langill said. “Modbus is one of these most widely used protocols in automation, yet is also one of the easiest to hijack and replay malicious commands. I have been able to demonstrate that even with vendors that use some form of authentication communicating between clients-servers-controllers, such as NTLM authentication over DCERPC, would also allow an attacker with logical access to the network to crack the passwords used.”

“To me the issue here is the ability ‘to intercept and decipher the product’s password,’ ” said Eric Byres, chief technology officer at Byres Security. “So customers think they are more secure than they are. There is a high probability that end-users believe they are secure because of the PLC passwords and they are not.

“This is not unique to Siemens – all the major PLCs are as bad if not worse and we will see a storm of these notices over the next few months,” he said.

The full impact to individual organizations is dependent on multiple factors unique to each organization. ICS-CERT recommends organizations evaluate the impact of these vulnerabilities based on their environment, architecture, and operational product implementation.

The following mitigations can reduce the risk of impact by the reported vulnerabilities:
• ICS-CERT and Siemens recommend that asset owners/operators apply a properly configured strong password to each PLC. Changing this password frequently and using unique passwords, when possible, will reduce exposure to this vulnerability.
• Defense-in-depth strategies for enterprise and control system networks; see the ICS-CERT Recommended Practice document, Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies and Siemens’ Industrial Security website for more information on how to apply these measures.
• Siemens recommends concerned customers block all traffic to the PROFIBUS, MPI, and PROFINET protocol-based devices from outside the Manufacturing Zone by restricting or blocking Ethernet access to 102/TCP and 102/UDP, using appropriate security technology.
• Restrict remote access to enterprise and control system networks and diligently monitor any remote connections allowed; employ Virtual Private Network for any remote system connections.

Siemens published safety guidelines, which operators of industrial plants can follow to minimize the risk of external intervention from the start. Recommended measures include limiting physical and electronic access to the automation products, implementation of multi-level security concepts by establishing safe production islands, setting up and monitoring of firewalls, as well as regularly changing passwords.

Siemens is not aware of any incidents in this context involving attacks on industrial plants, and consequently no manipulation or damage has occurred, Siemens officials said.

Leave a Reply

You must be logged in to post a comment.