Siemens PLCs Still Vulnerable to Stuxnet-like Cyberattacks

  /     /     /  
Publicated : 23/11/2024   Category : security


Siemens PLCs Still Vulnerable to Stuxnet-like Cyberattacks


Security updates are tedious and difficult, so users continue to use a weak version of a core protocol and remain exposed to major attacks on critical infrastructure.



Programmable logic controllers (PLCs) that were vulnerable to the Stuxnet attack are still in use globally and rarely have security controls deployed — meaning theyre still at risk.
More than 10 years after Stuxnet, new research shows users rarely switch on security controls such as using passwords, and feel updates are too cumbersome to be applied.
Colin Finck, tech lead of reverse engineering and connectivity at Enlyze, says the Siemens proprietary protocol which is used to read and write data as well as to program the S7 PLC. However, this is only protected by obfuscation, which the researchers were able to bypass.
Finck and his colleague Tom Dohrmann, software engineer, reverse engineering and connectivity, will present their findings at Black Hat Europe in London next week, in a talk titled
A Decade After Stuxnet: How Siemens S7 Is Still an Attackers Heaven
.
In the 2010 attack, the
Stuxnet attackers exploited
several zero-day vulnerabilities in Microsoft Windows to ultimately gain access to Siemens software and the PLCs. This was done to gain access to and effectively damage high-speed centrifuges at the Iranian Bushehr nuclear power plant.
The impact of Stuxnet was huge, as it remotely
damaged around a thousand centrifuges
, and the worms controllers were also able to analyze
communication protocols
between the PLCs to exploit further technological weaknesses. It also paved the way for things to come: After Stuxnet, a number of industrial control-related attacks were detected over the years, including
BlackEnergy
and
Colonial Pipeline
.
Finck tells Dark Reading that after the Stuxnet attacks took place, Siemens developed a revised protocol for the PLCs that added lots of obfuscation and cryptography layers. However, the researchers in recent probing were able to bypass that obfuscation to give them the ability to read and write instructions for the PLCs, and ultimately stop the controller working in a proof of concept.
A statement from Siemens sent to Dark Reading acknowledged that the levels of obfuscation do not offer enough security, and a
Security Bulletin
from October 2022 stated that two of the PLCs use a built-in global private key which cannot be considered anymore as sufficiently protected.
The statement added: Siemens has deprecated this previous version of the communication protocol and encourages everyone to migrate to V17 or later to enable the new TLS [Transport Layer Security]-based communication protocol.
That most recent Siemens firmware released in 2022 does include TLS, but Finck claims there is no long-term service for cybersecurity issues and calls for Siemens to provide better means to update firmware because right now, its wide open to anybody who could just access it over the Internet.
In its statement, Siemens said it is aware of the talk scheduled for Black Hat Europe and stated that the talk will describe the details of the legacy PG/PC and HMI communication protocol as used between TIA Portal/HMIs and SIMATIC S7-1500 SW Controller in versions before V17.
The company stated that no previously unknown security vulnerabilities will be disclosed in this talk and that Siemens is in close coordination with the researchers. Siemens recommended users to apply mitigations, including:
Applying client authentication using strong and individual
 
access level passwords.
Migrating to V17 or later to enable the new TLS-based
 
communication protocol for all SIMATIC S7-1200/1500 PLCs
 
including SW Controller (see Siemens Security Bulletin
 
SSB-898115 [2]).
Implementing the defense-in-depth approach for plant operations
 
and configure the environment according to
Siemens operational guidelines
for industrial security.
Though the researchers praised the response by Siemens, they noted that PLC firmware is rarely updated by users, and theres not an established update process to quickly roll out [updates] to a fleet of machines.
Finck says doing updates is probably a tedious manual process to walk to every machine, plug something in and update the firmware, and thus, Siemens needs to offer better update processes so customers have an incentive to deploy those updates.
In the meantime, he says, you better not have a direct connection to all PLCs right now, due to the aforementioned security problems.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Siemens PLCs Still Vulnerable to Stuxnet-like Cyberattacks