The global site of the UK's leading magazine for automation, motion engineering and power transmission
6 February, 2023

LinkedIn
Twitter
Twitter link

Unpatchable cyber-flaws found on over 120 Siemens PLCs

11 January, 2023

US cyber-security researchers have discovered flaws affecting dedicated crypto-authentication chips at the heart of Siemens’ S7-1500 family of industrial controllers, and related products, which could allow attackers to execute malicious code on these devices.

Siemens has released a list of more than 120 products affected by the vulnerabilities. Because the flaws are associated with the controller hardware, they cannot be fixed by software updates or patches.

As well as Simatic S7-1500 PLCs, the products affected include Simatic Drive Controllers (which combine S7-1500 CPUs with Sinamics S120 drive systems) and items in the Simatic ET 200Pro distributed I/O system.

Siemens says it has already released new hardware versions of several members of the S7-1500 family in which the vulnerabilities have been fixed. It is working on new versions of the remaining PLCs to address the vulnerabilities.

The company has also issued advice to users of the affected products. It says that because exploiting the vulnerabilities requires physical tampering with the product, it is recommending that users assess the risk of physical access to their devices and implement measures to ensure that only trusted personnel have access to the hardware. It suggests placing the affected devices in locked control cabinets, for example.

Researchers working for Red Balloon Security say they have discovered “multiple” vulnerabilities which could allow attackers to bypass protected boot features on the controllers, to modify operating code and data. Attackers could generate arbitrary encrypted firmware that would be bootable on all of Siemens’ S7-1500 CPU modules.

Red Balloon warns that by flashing malicious firmware onto a target device, either physically or by exploiting an existing remote code execution vulnerability, attackers could execute arbitrary code and potentially circumvent any official security and firmware updates, without users’ knowledge.

Cybersecurity researchers have found vulnerabilities in Siemens’ S7-1500 PLCs

The Red Balloon researchers have been working on the issue for more than a year and have reported the vulnerabilities to Siemens, which confirmed them.

Red Balloon has recommended several mitigations to Siemens, including:
• implementing runtime integrity attestation;
• adding asymmetric signature checks for firmware at bootup; and
• encrypting the firmware with device-specific keys that are generated on individual devices.

The cyber-researchers have also developed a threat detection tool for owners and users of Siemens S7-1500 series PLCs to verify whether vulnerable devices have been tampered with or compromised.

SiemensTwitter  LinkedIn  Facebook

Red Balloon SecurityTwitter  LinkedIn




Magazine
  • To view a digital copy of the latest issue of Drives & Controls, click here.

    To visit the digital library of past issues, click here

    To subscribe to the magazine, click here

     

Poll

"Do you think that robots create or destroy jobs?"

Newsletter
Newsletter

Events

Most Read Articles