Protecting Siemens S7-1200 PLCs against Security Vulnerabilities, Part 3/3

Over the past week, I have been digging into the Siemens S7 PLC vulnerabilities that were discovered by Dillon Beresford at NSS Labs in May. In the first blog article, I analyzed the contradictory information being circulated in an attempt to scrape out a few facts and guesses on what PLC products are actually affected and what the nature of the vulnerabilities are. Friday's post covered the lessons the industry as a whole can take away from this mess.

In this blog, I will discuss what this means for the ICS / SCADA professional trying to protect his or her control system in a critical industrial facility.

Siemens' PLC Security Advisories are Confusing

I will start by saying that, while I am happy to see Siemens moving quickly on these vulnerabilities, I am also pretty confused by the update notices and security advisories released on Friday, June 10th. The Siemens S7-1200 V2.03 Firmware Update Notice simply states:

"S7-1200 CPU firmware update V2.0.3 improves the security and robustness of the S7-1200 product family."

Wow - thanks for all that detail...

Head to the Siemens S7-1200 security notice on the web and a slightly better message appears:

"The latest firmware update for the S7-1200 will offer corrective action for enhancing protection against replay attacks as well as increased stability when facing the above-mentioned denial-of-service scenario. The firmware update will be available in June."

All this seems pretty positive until we read the Security Advisory dated June 13, 2011. It acknowledges that there are two vulnerabilities in the S7-1200 product, namely the Replay attack and the Denial of Service attack we suspected earlier. But then the advisory goes on to say:

"The improvements for this system behavior will be addressed with the next firmware update"


"A password protected S7-1200 will, in the future (with the firmware update), no longer respond to recorded frames transmitted to the controller at a later time"

Does this mean the patches released on Friday do not address the problem? Or are the Siemens security and developement teams not talking to each other?

Stay tuned as we try to sort this out.

S7-1200 PLCs are usually Standalone Applications

In the mean time, we know that S7-1200 PLCs are at risk of easy-to-execute DoS and replay attacks now. The DoS attacks are against the embedded web server on the PLC, and Siemens suggests that shutting that service down removes the vulnerability. The replay attack and the DoS attack might be solved by Friday's patch (or it might not be).

The good news is that these micro PLCs are often implemented in standalone applications consisting of just the PLC and a simple local operator (touch) panel display.  In these cases, it might just be safe to say that they are 'air-gapped', and network-based attacks are not possible.

What to do if your S7-1200 PLCs are not Standalone

Now if this is not the case – the PLCs are on a more complex network – then defense in depth security is needed. First get that patch loaded ASAP. Hopefully it fixes both problems. But even if it does, remember that the protocols are still clear text.

In this case you need to have your S7-1200 PLCs behind a firewall that restricts traffic to the core HMI servers (i.e. the computers that must communicate to the PLCs), and blocks dangerous protocols like HTTP (i.e. web traffic), or you are taking a risk.

Rate limiting traffic to the PLCs is also a good idea. Previous research by CERN suggests that some Siemens PLCs may also be susceptible to traditional packet storm attacks. I don’t know if this applies to the S7-1200, but I would play it safe.

Note that I am NOT talking about a firewall between the business and corporate networks.  In many companies, that leaves too many computers free to send whatever messages they want to the PLCs. Get one of those computers infected by USB key, CD or VPN and your PLCs could be sitting ducks.

Instead, firewalls separating ALL the PCs from the PLCs are recommended to sanitize the traffic coming to the PLCs. The ideal choice would be a deep packet inspection system that would detect malformed Siemens traffic, but that technology is not on the market yet. I hope that it shows up soon.

Clear Text Protocols/Weak Authentication are Endemic Problems

What about S7-300 and S7-400 PLCs? Siemens is very vague on this front. Probably these controllers are no more exposed than they have been for the past decade. Not that that is good - the HMI protocols are sent in clear text and the password authentication schemes may be flawed, especially against replay attacks.

These are serious exposures, but they are not new exposures. In fact, the issues of clear text protocols and weak authentication are endemic to the entire ICS/SCADA industry.

The bad news is that unauthenticated, clear text ICS and SCADA protocols is not an issue that can be fixed by patches. These protocols been around since PLCs and RTUs were invented and will take years, if not decades, to replace. Nor will trying to hide the control system behind a so-called air gap help. Only better management of ALL the traffic on the primary control network will provide security in the next decade.

The zone and conduit models proposed by the ANSI/ISA99 standards show the direction the ICS/SCADA industry needs to progress. The industry now needs to make these easy to understand and deploy in all control systems.

Related Links


RSS Feed Subscribe to the "Practical SCADA Security" news feed

Add new comment