Drives and Controls Magazine
Siemens PLC vulnerability is cyber-attackers’ ‘holy grail’
Published:  01 June, 2021

Cyber-researchers have found a vulnerability in Siemens’ Simatic S7-1200 and S7-1500 PLCs that could give attackers read and write access anywhere on the PLC, allowing them to execute malicious code remotely. The researchers at Claroty describe such unrestricted and undetected code execution as the “holy grail” for cyber-attackers, allowing them to hide code deep inside the PLC undetected by the operating system, or any diagnostic software.

To eliminate the vulnerability, Siemens has updated the firmware for both PLCs, and has issued an advisory notice (SSA-434534) informing its customers about the details. Claroty says it is not aware of any public exploitation of the vulnerability.

According to cyber-researchers, achieving native code execution on an industrial control system such as a PLC is an aim few attackers have achieved. These systems have numerous in-memory protections that any attacker would have to overcome not only to run code, but also to remain undetected.

Previously, they would have needed physical access and connections to the PLC, or techniques that target engineering workstations and other links to the PLC to achieve this level of code execution. The new vulnerability discovered by the cyber-researchers bypasses the sandbox where engineering code would normally run in the PLC to run native code in protected areas of memory. An attacker could use this vulnerability to obtain read-write memory access remotely that would be difficult to detect and remove.

The vulnerability bypasses existing protections in the PLC. Claroty was able to use the vulnerability to escape the sandbox to gain direct access to memory, then write and inject shellcode to attack the PLC.

To achieve this, an attacker would need network access to the PLC, as well as PLC download rights. Since V12 of Siemens’ TIA Portal engineering platform, various mitigation controls limit user network and read/write access to its PLCs, especially password protection mechanisms. V17 introduced TLS communication using individual certificates between PLCs, HMIs and TIA Portal, significantly reducing the potential attack surface.

Siemens has issued firmware updates to tackle the vulnerability discovered in its Simatic S7-1500 and S7-1200 PLCs

Claroty, which formed a partnership with Siemens in 2018, has exchanged technical details, attack techniques, and mitigation advice with the PLC-maker that helped to shape the new patches designed to tackle the vulnerability. The partners say that “given the critical nature of this vulnerability”, users should apply the updates to the PLCs and to other affected products. Siemens is preparing further updates for products for which patches are not yet available.

In a blog post, Claroty researcher Tal Keren explains the background to the vulnerability and how it could be exploited.

Siemens:  Twitter  LinkedIn  Facebook

ClarotyTwitter  LinkedIn  Facebook