Siemens fixes vulnerabilities in automation systems
Siemens has released a firmware update for its SIMATIC S7-1200 programmable logic controllers (PLC) which fixes a known vulnerability. According to a security advisory, the PLC was vulnerable to replay attacks, in which an attacker could record and subsequently resend network communications between the controller and programming or engineering software.
PLCs normally operate autonomously, but can also be controlled using appropriate software. According to Siemens, a replay attack could, for example, allow a PLC to be stopped and would not require the attacker to know the password. Where passwords have been assigned, the replay attack will not work on other PLCs on the same network as long as they have been assigned different passwords. Where other PLCs have been assigned the same password, it would also be possible to use the recorded commands to control them. Siemens therefore advises the use of a different, strong password for each device.
The patch will prevent future replay attacks. US-based ICS-CERT has confirmed the effectiveness of the patch. Siemens points out that a successful attack would require access to the automation network. This does represent a significant hurdle, but, as worms such as Stuxnet have shown, it is not insurmountable. The replay vulnerability can be exploited from any (infected) computer connected to the automation network.
The firmware update also fixes a DoS vulnerability in SIMATIC S7-1200 PLCs. Scanning the Ethernet communication interface is apparently sufficient to bring the PLC to a stop. Siemens reports that only PLCs with firmware version 02.00.02 are affected by this issue. Exploitation can also be prevented by disabling the inbuilt web interface. According to Siemens, S7-300 and S7-400 series PLCs are not affected.
The update does not, however, mean that all vulnerabilities known to the vendor have been fixed. During penetration testing, security specialist Dillon Beresford of NSS Labs discovered and reported further vulnerabilities to Siemens. Beresford had intended to demonstrate his findings at the TakeDownCon security conference in Dallas. At the request of Siemens and ICS-CERT, the presentation, Chain Reactions: Hacking SCADA , was put on hold. Beresford will now present his findings at the Black Hat conference in August.