ANALYST BRIEF Siemens PLC Vulnerabilities Author Bob Walder Overview Supervisory Control Automation and Data Acquisition (SCADA) systems are cornerstones of modern industrial society. Via the use of Programmable Logic Controllers (PLCs), SCADA systems enable humans to control, monitor, and automate activities of connected physical systems, such as oil and gas pipeline valves, temperature monitoring and cooling systems, energy grids, and traffic lights. Unlike classic computer crime and exploitation, where data is remotely stolen or manipulated, attacks on industrial control systems (ICS) can have significant physical world implications. A number of vulnerabilities have been discovered by NSS Labs researchers and validated on the Siemens Simatic S7-1200 PLC. Other Siemens device models have yet to be tested. There is the possibility that PLCs from other vendors are similarly affected. Currently, these vulnerabilities could enable an attacker to control an affected S7-1200 PLC. Naturally, the execution of the exploits to obtain this level of control requires that the SCADA system be connected to a network to which the attacker has access. SCADA systems implemented according to accepted best practices, including a full air gap separation from internet- connected networks, would be subject to a lower risk than those that are not. NSS Labs Findings At the time of this writing, official patches and remediation advice from affected vendor(s) is not available. Affected organizations need to rely on network security measures to counter the threat SCADA networks are often needlessly connected to broader corporate networks where air gap separation would be more appropriate Loss of control of industrial control systems such as those at the center of this research can have devastating effects, both financial and, in rare cases, environmental.
NSS Labs Recommendations Implement true air gap separation for SCADA networks where possible. Execute a full exposure assessment to determine the extent of external connectivity that can be gained to critical ICS. During the period where NSS is unable to divulge further information publicly due to disclosure responsibilities, NSS clients with concerns in this area should schedule inquiries with research analysts to discuss remediation efforts on a case- by- case basis. Study the confidential alert posted on the ICS- CERT password- protected portal. 2
Analysis Supervisory Control Automation and Data Acquisition (SCADA) systems are cornerstones of modern industrial society. SCADA systems enable humans to control, monitor and automate activities of connected physical systems, such as oil and gas pipeline valves, temperature monitoring and cooling systems, energy grids, and traffic lights. Programmable Logic Controllers (PLCs) are the purpose- built devices that communicate with and control the physical devices. For example, they enable human operators to define rules that automatically turn on water cooling pumps to a nuclear reactor when the temperature reaches a predefined threshold. They are in use in every country and in every industrial control system and impact our lives daily in ways we might not realize. Exploitation of vulnerabilities in computer systems can always have negative effects, such as loss of availability, productivity, data, or other compromise, and even result in identity theft and financial loss. However, unlike classic computer crime and exploitation, where data is remotely stolen or manipulated, attacks on industrial control systems (ICS) can in rare circumstances have potentially devastating physical world implications such as loss of life and environmental impact. ICS vulnerabilities are an emerging and increasingly important threat to national cybersecurity, and research into this area is in the early stages. While there are relatively few known vulnerabilities in the ICS space, there are tens of thousands of traditional computing and networking vulnerabilities. In the course of this research, significant vulnerabilities in industrial control systems have been identified, responsibly disclosed, and validated by the affected parties. Due to the serious impact these issues could have on industrial systems worldwide, further details will be withheld until effective remediation measures have been released by the affected vendor(s) and validated by NSS researchers. Vulnerabilities Discovered by NSS Labs Given the serious implications of the vulnerabilities, NSS is refraining from broad public disclosure of the technical details at the time of this writing. This document does not, therefore, discuss how attacks are carried out, instead focusing on what is possible and what organizations can do to mitigate the risks. These vulnerabilities could enable an attacker to control an affected S7-1200 PLC. For example: Start and stop the CPU Arbitrarily control devices connected to the PLC Arbitrarily reprogram the PLC and read and write memory contents Cause arbitrary (false) data to be returned to logging and management stations Hijack control of the PLC from an administrator Bypass security controls The most effective remediation will be based upon accepted best practices and specific knowledge of the operating environment. Given the implications of the problem, a true air- gap separation between ICS and internet- connected corporate networks should be enforced wherever possible. In many cases, the operator may not be fully aware of the connectivity an attacker may be able to gain. An exposure assessment is recommended in such cases. 3
Frequently Asked Questions Which products are vulnerable? The vulnerabilities have been validated on the Siemens Simatic S7-1200 PLC. Other Siemens device models have yet to be tested. There is a possibility that PLCs from other vendors are similarly affected. What responsible disclosure was followed? NSS researchers have worked closely with the affected vendor, Siemens, and the computer emergency response team for industrial control systems (ICS- CERT), which reports into the Department of Homeland Security (DHS). Full details have been shared, and the vulnerabilities have been confirmed. NSS remains in close contact with ICS- CERT. At the time of this writing, the vendor (Siemens) has provided NSS with no further patching or remediation details, nor has it provided any indication of when they will be available. How is this different from Stuxnet? These vulnerabilities differ from Stuxnet in many ways. While both affect SCADA PLC systems, Stuxnet was a targeted worm, whereas these vulnerabilities are not. These vulnerabilities affect the newest Siemens PLCs and can shut down/turn on PLCs in addition to reading information from and writing information to them. Was any malware created around these exploits? No. Responsible disclosure practices have been followed throughout by NSS, and no proof of concept code has been released into the wild. 4
Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX 78746 USA +1 (512) 961-5300 info@nsslabs.com www.nsslabs.com This analyst brief was produced as part of NSS Labs independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief. 2011 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice. 2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the reader s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the reader s expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 5