Siemens PLC Vulnerabilities

Similar documents
Internet Advertising: Is Your Browser Putting You at Risk?

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

Breach Found. Did It Hurt?

DATA CENTER IPS COMPARATIVE ANALYSIS

ENTERPRISE EPP COMPARATIVE REPORT

ENTERPRISE EPP COMPARATIVE ANALYSIS

Evolutions in Browser Security

2013 Thomas Skybakmoen, Francisco Artes, Bob Walder, Ryan Liles

DATA CENTER IPS COMPARATIVE ANALYSIS

DATA CENTER IPS COMPARATIVE ANALYSIS

WEB APPLICATION FIREWALL COMPARATIVE ANALYSIS

Internet Explorer Exploit Protection ENTERPRISE BRIEFING REPORT

Multiple Drivers For Cyber Security Insurance

Mobile App Containers: Product Or Feature?

SSL Performance Problems

BROWSER SECURITY COMPARATIVE ANALYSIS

NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS

2013 Thomas Skybakmoen, Francisco Artes, Bob Walder, Ryan Liles

CORPORATE AV / EPP COMPARATIVE ANALYSIS

An Old Dog Had Better Learn Some New Tricks

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

How to Protect against the Threat of Spearphishing Attacks

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

The CISO s Guide to the Importance of Testing Security Devices

How To Sell Security Products To A Network Security Company

Monitor free disc space on a server. AdRem NetCrunch 6.x Tutorial

What is Cyber Liability

ZIMPERIUM, INC. END USER LICENSE TERMS

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

The Business Case for Security Information Management

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

TEST METHODOLOGY. Endpoint Protection Evasion and Exploit. v4.0

Seven Strategies to Defend ICSs

AXIS12 DRUPAL IN A BOX ON THE CLOUD

Applaud Solutions Technical Support Policies

Addressing the United States CIO Office s Cybersecurity Sprint Directives

TERMS OF USE. Last Updated: October 8, 2015

Terms of Use. Please Read Carefully Before Using This Website and Provided Services and Products:

N-Dimension Solutions Cyber Security for Utilities

Mitigating Risks and Monitoring Activity for Database Security

Software- Defined Networking: Beyond The Hype, And A Dose Of Reality

Application Note Siemens and SIMATIC Manager S7

Securing Industrial Control Systems in the Chemical Sector. Roadmap Awareness Initiative Making the Business Case

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

Moving Beyond Perimeter-Based Security

TERMS & CONDITIONS. Introduction

Beyond the Hype: Advanced Persistent Threats

LET S ENCRYPT SUBSCRIBER AGREEMENT

Bank Independent Online Financial Management Addendum

How To Create A Firewall Security Value Map (Svm) 2013 Nss Labs, Inc.

(e) Upon our request, you agree to sign a non-electronic version of this TOS.

Streamlining Web and Security

Why Is DDoS Prevention a Challenge?

GENOA, a QOL HEALTHCARE COMPANY WEBSITE TERMS OF USE

Types of cyber-attacks. And how to prevent them

WEB APPLICATION FIREWALL PRODUCT ANALYSIS

Should Costing Version 1.1

Securing Amazon It s a Jungle Out There

Securing Endpoints without a Security Expert

BNSync User License Agreement

Terms and Conditions- OnAER Remote Monitoring Service

IBM Managed Security Services (Cloud Computing) hosted and Web security - express managed Web security

Card Account means your Card account that is in relation to your Visa Wallet maintained and operated by Tune Money Sdn Bhd.

What Do You Mean My Cloud Data Isn t Secure?

Cloud- Based Security Is Here to Stay

Best Practices in Deploying Anti-Malware for Best Performance

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

PLC FORENSICS BASED ON CONTROL PROGRAM LOGIC CHANGEDETECTION WORKS

TERMS OF USE & SERVICE

Hamilton.net User Agreement Revised August 31, Acceptance of Terms Through Use

TERMS AND CONDITIONS

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Verified by Visa Terms of Service Credit Card Accounts

SPEAR PHISHING UNDERSTANDING THE THREAT

Organized, Hybridized Network Monitoring

Mobile Banking and Mobile Deposit Terms & Conditions

SERVICE TERMS AND CONDITIONS

Information Security Incident Management Guidelines

NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS

Energy Cybersecurity Regulatory Brief

Keeping the Lights On

Robinhood Terms & Conditions

PORTERS HR Business Cloud Terms of Use

Terms & Conditions. Introduction. The following terms and conditions govern your use of this website (VirginiaHomeRepair.com).

TEST METHODOLOGY. Distributed Denial-of-Service (DDoS) Prevention. v2.0

Make Migration From Windows Server 2003 a Priority, Before Support Ends in July 2015

43% Figure 1: Targeted Attack Campaign Diagram

Emerging SCADA and Security Solutions Presented by; Michael F. Graves, P.E. Chris Murphy, CISSP

ELECTRONIC SIGNATURE AGREEMENT

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS

TEST METHODOLOGY. Hypervisors For x86 Virtualization. v1.0

ADP Ambassador /Referral Rewards Program. Terms and Conditions of Use

What Risk Managers need to know about ICS Cyber Security

Advanced Planning PDP Client for Microsoft Excel 1.3 Install PeopleBook

Why SME s Should Outsource Payroll

eeye Digital Security and ECSC Ltd Whitepaper

U.S. BANK PREPAID ONLINE BANKING AGREEMENT

By the Citrix Publications Department. Citrix Systems, Inc.

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Transcription:

ANALYST BRIEF Siemens PLC Vulnerabilities Author Bob Walder Overview Supervisory Control Automation and Data Acquisition (SCADA) systems are cornerstones of modern industrial society. Via the use of Programmable Logic Controllers (PLCs), SCADA systems enable humans to control, monitor, and automate activities of connected physical systems, such as oil and gas pipeline valves, temperature monitoring and cooling systems, energy grids, and traffic lights. Unlike classic computer crime and exploitation, where data is remotely stolen or manipulated, attacks on industrial control systems (ICS) can have significant physical world implications. A number of vulnerabilities have been discovered by NSS Labs researchers and validated on the Siemens Simatic S7-1200 PLC. Other Siemens device models have yet to be tested. There is the possibility that PLCs from other vendors are similarly affected. Currently, these vulnerabilities could enable an attacker to control an affected S7-1200 PLC. Naturally, the execution of the exploits to obtain this level of control requires that the SCADA system be connected to a network to which the attacker has access. SCADA systems implemented according to accepted best practices, including a full air gap separation from internet- connected networks, would be subject to a lower risk than those that are not. NSS Labs Findings At the time of this writing, official patches and remediation advice from affected vendor(s) is not available. Affected organizations need to rely on network security measures to counter the threat SCADA networks are often needlessly connected to broader corporate networks where air gap separation would be more appropriate Loss of control of industrial control systems such as those at the center of this research can have devastating effects, both financial and, in rare cases, environmental.

NSS Labs Recommendations Implement true air gap separation for SCADA networks where possible. Execute a full exposure assessment to determine the extent of external connectivity that can be gained to critical ICS. During the period where NSS is unable to divulge further information publicly due to disclosure responsibilities, NSS clients with concerns in this area should schedule inquiries with research analysts to discuss remediation efforts on a case- by- case basis. Study the confidential alert posted on the ICS- CERT password- protected portal. 2

Analysis Supervisory Control Automation and Data Acquisition (SCADA) systems are cornerstones of modern industrial society. SCADA systems enable humans to control, monitor and automate activities of connected physical systems, such as oil and gas pipeline valves, temperature monitoring and cooling systems, energy grids, and traffic lights. Programmable Logic Controllers (PLCs) are the purpose- built devices that communicate with and control the physical devices. For example, they enable human operators to define rules that automatically turn on water cooling pumps to a nuclear reactor when the temperature reaches a predefined threshold. They are in use in every country and in every industrial control system and impact our lives daily in ways we might not realize. Exploitation of vulnerabilities in computer systems can always have negative effects, such as loss of availability, productivity, data, or other compromise, and even result in identity theft and financial loss. However, unlike classic computer crime and exploitation, where data is remotely stolen or manipulated, attacks on industrial control systems (ICS) can in rare circumstances have potentially devastating physical world implications such as loss of life and environmental impact. ICS vulnerabilities are an emerging and increasingly important threat to national cybersecurity, and research into this area is in the early stages. While there are relatively few known vulnerabilities in the ICS space, there are tens of thousands of traditional computing and networking vulnerabilities. In the course of this research, significant vulnerabilities in industrial control systems have been identified, responsibly disclosed, and validated by the affected parties. Due to the serious impact these issues could have on industrial systems worldwide, further details will be withheld until effective remediation measures have been released by the affected vendor(s) and validated by NSS researchers. Vulnerabilities Discovered by NSS Labs Given the serious implications of the vulnerabilities, NSS is refraining from broad public disclosure of the technical details at the time of this writing. This document does not, therefore, discuss how attacks are carried out, instead focusing on what is possible and what organizations can do to mitigate the risks. These vulnerabilities could enable an attacker to control an affected S7-1200 PLC. For example: Start and stop the CPU Arbitrarily control devices connected to the PLC Arbitrarily reprogram the PLC and read and write memory contents Cause arbitrary (false) data to be returned to logging and management stations Hijack control of the PLC from an administrator Bypass security controls The most effective remediation will be based upon accepted best practices and specific knowledge of the operating environment. Given the implications of the problem, a true air- gap separation between ICS and internet- connected corporate networks should be enforced wherever possible. In many cases, the operator may not be fully aware of the connectivity an attacker may be able to gain. An exposure assessment is recommended in such cases. 3

Frequently Asked Questions Which products are vulnerable? The vulnerabilities have been validated on the Siemens Simatic S7-1200 PLC. Other Siemens device models have yet to be tested. There is a possibility that PLCs from other vendors are similarly affected. What responsible disclosure was followed? NSS researchers have worked closely with the affected vendor, Siemens, and the computer emergency response team for industrial control systems (ICS- CERT), which reports into the Department of Homeland Security (DHS). Full details have been shared, and the vulnerabilities have been confirmed. NSS remains in close contact with ICS- CERT. At the time of this writing, the vendor (Siemens) has provided NSS with no further patching or remediation details, nor has it provided any indication of when they will be available. How is this different from Stuxnet? These vulnerabilities differ from Stuxnet in many ways. While both affect SCADA PLC systems, Stuxnet was a targeted worm, whereas these vulnerabilities are not. These vulnerabilities affect the newest Siemens PLCs and can shut down/turn on PLCs in addition to reading information from and writing information to them. Was any malware created around these exploits? No. Responsible disclosure practices have been followed throughout by NSS, and no proof of concept code has been released into the wild. 4

Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX 78746 USA +1 (512) 961-5300 info@nsslabs.com www.nsslabs.com This analyst brief was produced as part of NSS Labs independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief. 2011 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice. 2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the reader s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the reader s expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information