24 Jul 2024


Siemens PLC firmware patch tackles vulnerabilities

Siemens has issued a firmware patch for its Simatic S7-1200 micro-PLC to tackle security weaknesses identified last month by US researchers. According to the US Government’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the patch addresses “a portion of the reported vulnerabilities”.

ICS-CERT warns that successful exploitation of these vulnerabilities “could result in the loss of process control, possibly precipitating damage to critical industrial control systems”.

Siemens says that following the alert issued in May by the US cyber-security specialist NSS Labs, it reproduced the test scenarios which revealed “weaknesses” in its S7-1200 controller (shown above). Under certain conditions, an attack could stop a control program running on a PLC, placing it in a stop/defect state which could cause a machine shutdown similar to that resulting from a power supply failure.

In a new advisory notice, Siemens identifies two specific security issues that could affect the S7-1200 PLCs. In the first of these, communications between engineering software and a connected PLC could be recorded using network analysers, and later imported via the PLC’s Ethernet interface, allowing operator actions such as Stop commands to be replicated.

Siemens says that this form of attack works only on the PLC involved in the original communications. An authentication mechanism would prevent other controllers from recognising the commands. Also “replay attacks” of this type can only succeed if access to the controller is not protected. It therefore recommends activating PLC access protection systems.

It argues that the replay scenario does not represent a gap in security because it requires the same access rights to a network as would be needed when using the engineering software. “Secure operation of a controller in an industrial application depends on having an access-protected network in place,” it says.

But Siemens does concede that owing to an error in the current firmware of the S7-1200 CPU, replay attacks could be launched “for a limited period”. This weakness will be corrected in its next firmware update.

The second problem reported by Siemens is that the S7-1200’s communications interface can be overloaded by a network scanner, leading to a CPU stoppage. It suggests that a “denial of service” attack of this type can be avoided by switching off the Web server built into the S7-1200 PLC, or by using a firewall to block Web server communications.

The new S7-1200 firmware patch enhances protection against replay attacks and offers “increased stability” when facing denial-of-service attacks.

In addition to installing the patch, ICS-CERT and Siemens suggest implementing other measures, where possible, to minimise the impact of the reported vulnerabilities:
•  disabling the Web server embedded in the TIA Portal v11 software if it is not critical to operations;
•  applying properly configured, strong passwords, and avoiding re-using the same password across automation networks;
•  applying defence-in-depth strategies for both enterprise and control system networks;
•  restricting connections between enterprise and control system networks; and
•  restricting remote access to enterprise and control system networks, and using VPN (virtual private network) connections for any remote system access.

Siemens reports that its S7-300 and S7-400 controllers are not vulnerable to the denial-of-service attacks, but it does not say whether they might be affected by replay attacks. According to one report, Siemens is testing this aspect of their behaviour and, if necessary, will implement appropriate measures.

Siemens points out that to reproduce the vulnerabilities identified by ICS-CERT, an attacker would have to bypass two levels of protection (plant security and IT security). They would either need to be on-site in a plant or have unrestricted access to the plant’s production network. It adds that operating an industrial controller on an unprotected network is similar to using a PC on the Internet without a firewall.

ICS-CERT says it is continuing to work with Siemens and NSS Labs on other reported problems.