Even more Siemens industry control systems vulnerable
The US ICS-CERT has issued a warning explaining that the recently reported replay attacks on control systems (Programmable Logic Controllers or PLCs) sold by Siemens affect more models than previously believed. In such attacks, attackers can get access to the automation network and send unauthorised commands to a PLC, allowing them to shut it down, for instance.
Three weeks ago, Siemens believed its SIMATIC S7-1200, a relatively rarely used system, was the only one vulnerable. It now turns out that the very popular SIMATIC S7-200, S7-300 and S7-400 are also vulnerable. Attackers are able to sniff the traffic between PLCs and other systems and replay packets (with commands) later. According to the report, the attack partly works because the International Organization for Standardization Transport Service Access Point (ISO-TSAP) protocol used for communication does not support authentication or encryption.
ICS-CERT says that such communication protocols for industry were designed to be open. The lack of security functions didn't used to be a problem because of the closed environments such systems are used in, but such systems are increasingly networked, which increases the risk.
In its warning, ICS-CERT does not say whether the devices are also vulnerable to the DoS hole reported for the S7-1200. Siemens and ICS-CERT say they are working to solve the problem. For the time being, Siemens recommends blocking external access to PROFIBUS, MPI and PROFINET. To do so, the firm says that TCP and UDP ports 102 for ISO-TSAP must be blocked. Siemens also points out, rather boldly, that it sells firewall products for PLCs too.