Siemens Security Bulletin Response to ICS Alert (ICSA-11-223-01A)

Industrial Automation Systems Siemens Security Bulletin Response to ICS Alert (ICSA-11-223-01A) Summary _ In August of 2011, ICS-CERT published at ICSA-11-223-01A i a summary of topics that were reported against Siemens PLCs. Siemens has developed the following response to this alert providing additional clarity with respect to the PLC families affected (S7-200, S7-1200, S7-300, S7400). Table 1: S7-200 and S7-1200 Topics and Mitigation Summary Reported Topics Read / Write User Memory Use of clear text, unauthenticated protocol Bypass of PLC password protection Bypass algorithm Disable protection S7-200 S7-1200 for versions prior to v2.0.3 The capability to read and write user memory is an integral part of Siemens open architecture allowing both Siemens and Non-Siemens products access to areas of PLC memory where inputs, outputs, constants, and variables reside. Clear text protocol is used throughout S7-200 / 1200 allowing interface to both Siemens and non-siemens products. Changing protocol will cause compatibility issues with products. S7-200: No patch implemented S7-1200: Patch implemented improving authentication sequence in June 2011. S7-200: Apply defense in depth strategy by implementing Operational Guidelines ii S7-1200: Protect critical constant memory values by configuring them as constant tags and assigning a value to each constant. Configure blocks of critical constant memory as a password protected data block. Check for valid parameter content of Read / Write user memory prior to use within the control program. Apply defense in depth strategy by implementing Operational Guidelines ii S7-200: Apply defense in depth strategy by implementing Operational Guidelines ii S7-1200: Update S7-1200 CPU firmware to v2.0.3 or higher Siemens AG Industry Sector; Management: Siegfried Russwurm Industry Automation Division; Management: Anton Sebastian Huber Industrial Automation Systems; Management: Eckard Eberle Gleiwitzer Str. 555 90475 Nuernberg Germany Tel.: +49 (911) 895 0 Fax: +49 (911) 895 3630 Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme; Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer; Roland Busch, Brigitte Ederer, Klaus Helmrich, Joe Kaeser, Barbara Kux, Hermann Requardt, Siegfried Russwurm, Peter Y. Solmssen, Michael Suess Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684 WEEE-Reg.-No. DE 23691322

Reported Topics Denial-of-service in the PLC web server Access to diagnostic command shell via TELNET and HTTP using hardcoded credentials Table 1 (continued): S7-200 and S7-1200 Topics and Mitigation Summary S7-200 S7-1200 S7-200: No for versions prior to v2.0.3 S7-200: No S7-1200: No S7-200: as the S7-200 does not have a built in web server S7-1200: Patch implemented removing identified vulnerability in June 2011. S7-200: S7-1200: Update S7-1200 CPU firmware to v2.0.3 or higher Note: The S7 200 was introduced in 1995 as the first family of Siemens Micro PLCs. In 2009 the S71200 Micro family of PLCs was introduced as the successor to the S7 200. Table 2: S7-300 / S7-400 Topics, and Mitigation Summary Reported Topics Read / Write User Memory Use of clear text, unauthenticated protocol Applies To: S7-300 S7-400 The capability to read and write user memory is an integral part of Siemens open architecture allowing both Siemens and Non-Siemens products access to areas of PLC memory where inputs, outputs, constants, and variables reside. Clear text protocol is used throughout S7-300 / S7-400 products allowing interface to both Siemens and non-siemens products. Changing protocol will cause compatibility issues with products Protect critical constant memory values by configuring them as constant tags and assigning a value to each constant. Configure blocks of critical constant memory as a password protected data block. Calculate checksums (SFC 51) of both the user program blocks and configuration data. Check for valid parameter content of Read / Write user memory prior to use within the control program. Utilize the security communication processors (CP 343-1 Advanced, CP 443-1 Advanced, and CP 1628) to establish VPN tunnels for the S7 protocol.

Table 2 (continued): S7-300 / S7-400 Topics, and Mitigation Summary Vulnerability S7-300 S7-400 Bypass of PLC password protection Bypass algorithm Disable protection Weak authentication is the root cause of this issue. Resolution requires changes to authentication sequence and will cause compatibility issues with products. Prevent bypass of PLC protection level by monitoring and controlling within the user program. Logic can be configured to detect a change in the protection level and reset it back to the original level while the PLC is in the Run mode using SFC 109 Protect. This allows protection against runtime downloads of hardware configuration changes and run time edits to the program. Denial-of-service in the PLC web server S7-300: No S7-400: No Access to diagnostic command shell via TELNET and HTTP using hardcoded credentials S7-400: No S7-300: Patch implemented to remove hardcoded credentials S7-400: The (internal) diagnostic interface has been removed in the following releases: CPU314C-2PN/DP since V3.3 01/2010 (first release) CPU315(incl. F)-2PN/DP since V3.1 10/2009 CPU317(incl. F)-2PN/DP since V3.1 10/2009 CPU319(incl. F)-3PN/DP since V2.8 06/2009 IM151-8(incl. F)-PN/DP since V3.2 08/2010 IM154-8 PN/DP since V3.2 08/2010 No models of S7-400 are known to be affected Protecting PLC Programs Modification of PLC blocks can drastically change the PLC s operating behavior. Therefore, it is of utmost importance to protect the engineering system with a layered approach as outlined in the white paper entitled Operational Guidelines ii found on the Industrial Security website. For customers concerned about the tampering of program or configuration data, Siemens recommends the use of the following protection features provided by the SIMATIC controllers.

PLC Write Protection S7-300 and S7-400 PLCs delivered since April of 1998, used in conjunction with STEP 7 V4.0.2 onward, support the use of password protection. This type of protection helps to prevent program tampering and unauthorized configuration changes. Password protection is an easily implemented precaution that can be leveraged within a comprehensive, layered approach. See How can you activate the protection level with a password in the HW Config for an S7 CPU iii for more information regarding S7-300 and S7-400 password protection features. S7-1200 PLCs support the use of password protection. This type of protection helps to prevent program tampering and unauthorized configuration changes. Password protection is an easily implemented precaution that can be leveraged within a comprehensive, layered approach. Consult the S7-1200 System Manual iv for more information regarding S7-1200 password protection features. S7-200 PLCs support the use of password protection. This type of protection helps to prevent program tampering and unauthorized configuration changes. Password protection is an easily implemented precaution that can be leveraged within a comprehensive, layered approach. Consult the S7-200 System Manual v for more information regarding S7-200 password protection features. Program and Configuration Change Detection The S7-300 and S7-400 PLCs provide the ability to calculate checksums of both the blocks and configuration data. This feature can be utilized to detect unauthorized program or configuration changes. An FAQ has been developed providing an explanation of program and configuration change detection. It can be found at How can you detect a change in the S7 user program in STEP 7 V5.5 vi. Consult the Siemens System Software for S7-300/400 System and Standard Functions vii manual for further information concerning SFC 51 RDSYSST. Other Mitigations Siemens continues to recommend a defense-in-depth strategy to protect against current and future security threats. Industrial security is a serious topic, and achieving maximal security requires a holistic approach. In addition to the measures outlined in this bulletin, we strongly urge customers to learn more about Siemens industrial security concepts by visiting http://www.siemens.com/industrialsecurity. Additional Information Siemens is committed to addressing security concerns and continues to enhance the security of our products and solutions. For additional information about Siemens comprehensive security offerings, please contact our expert consultants at industrialsecurity.i@siemens.com. Vulnerability & Incident Reporting Siemens is committed to addressing security vulnerabilities uncovered in its products and is working with the security research community through its dedicated ProductCERT. In order to report vulnerabilities in a Siemens product or an incident in a Siemens solution, please contact productcert@siemens.com or see http://siemens.com/cert/advisories.

i ICS-Alert 11-223-01A can be found at http://www.us-cert.gov/control_systems/pdf/icsa-11-223-01a.pdf ii Review the white paper entitled Operational Guidelines located on the white Papers section of the Siemens Industrial Security Website at http://www.industry.siemens.com/topics/global/en/industrialsecurity/support/pages/white-papers.aspx iii How can you activate the protection level with a password in the HW Config for an S7 CPU can be found at http://support.automation.siemens.com/ww/view/en/10154913 iv The S7-1200 Systems Manual can be found at http://support.automation.siemens.com/ww/view/en/36932465 v The S7-200 Systems Manual can be found at http://support.automation.siemens.com/ww/view/en/1109582 vi How can you detect a change in the S7 user program in STEP 7 V5.5 can be found at http://support.automation.siemens.com/ww/view/en/51577287 vii The Siemens System Software for S7-300/400 System and Standard Functions manual can be found at http://www.automation.siemens.com/doconweb/pdf/sinumerik_sinamics_04_2010_e/s7_sfc.pdf?p=1