Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/6/2012
03:46 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Siemens Enhances Security In Post-Stuxnet SCADA World

Firewall, VPN features now embedded in some products as Siemens gradually beefs up its security strategy

Stuxnet was not only bad news for Iran, but also for Siemens, whose process control systems were targeted in the attack that disrupted a nuclear facility in Iran. Since then, Siemens has quietly made several security moves in the wake of Stuxnet's discovery two years ago -- most recently, new industrial control products that come with built-in security features.

Raj Batra, president of industry automation division for Siemens Industry Inc., says the new Simatic CP and Scalance communications processor products with firewall and virtual private network (VPN) features help ratchet up security. But he also warns that there's no "silver bullet" to today's threats. "The introduction of our new Simatic CP and Scalance products only help to bolster Siemens' industrial security portfolio, but as we stress to our customers, there is no silver bullet to cybersecurity threats," Batra says. "Maintaining security is an ongoing process for plants and enterprises requiring collaboration at all levels."

Since Stuxnet, Siemens has been hammered by various security researchers who have poked numerous holes in the manufacturer's products, forcing Siemens to find security religion in a staid industry where air gaps traditionally were assumed enough to protect critical infrastructure. Stuxnet effectively burst that bubble of air gap protection for good, and Siemens has spent the past two years scrambling to shore up security in its products.

"During the past two years, Siemens has made several strategic decisions that have been well-received by both internal and external audiences, including developing new industrial security products and solutions, providing software updates incorporating security enhancements, increasing our communication and collaboration with key partners, including ICS-CERT and other government agencies, as well as the research community," Siemens' Batra says. "We have also developed consultative services to support our customers throughout the life cycle of their products or projects."

[ A look back at one of the industry's most complex attacks -- and the lessons it teaches. See Stuxnet: How It Happened And How Your Enterprise Can Avoid Similar Attacks. ]

One of Siemens' first public moves post-Stuxnet was to send a representative to Black Hat USA last summer to respond at a session exposing embarrassingly simple holes in its programmable logic controllers (PLCs). Researcher Dillon Beresford demonstrated how a backdoor in Siemens S7-300, S7-400, and S7-1200 devices allowed him to get inside and capture passwords and reprogram PLC logic in such a way that he could shut down the systems altogether or cause them to eventually crash. He staged a live demonstration of how he could control the Siemens devices, which are used in power and manufacturing plants worldwide.

Siemens' Thomas Brandstetter, then-acting head of Siemens Product CERT, took the stage at the Black Hat session briefly with Beresford to confirm that Siemens was working on fixing the flaws in its devices. He later said that Siemens had created its CERT eight months before (which was just after Stuxnet) to handle vulnerabilities in its products and to work more closely with the security community.

Since then, Siemens has joined the Software Assurance Forum for Excellence in Code (SAFECode), with the head of its software initiatives Frances Paulisch now a member of SAFECode's board. SAFECode is an industry-led group that promotes best practices in software development and services. Siemens also has been accredited to test its products for Wurldtech's Achilles Communication Certification, a benchmark for security of critical infrastructure products.

But it was Siemens' press release late last month announcing new versions of its Simatic NET CP 343-1 Advanced and Simatic NET CP 443-1 processors -- which now contain a firewall and VPN feature and better secure connections to the Simatic S7-300 and S7-400 controller series -- that caught the attention of SCADA security experts. Still unclear, however, is exactly how the new security features are applicable to the Siemens products that Stuxnet targeted, the Simatic WinCC and PCS 7 systems.

The new security features address secure remote access to process controllers, as well. "The Simatic NET CP 343-1 Advanced and Simatic NET CP 443-1 Advanced communications processors with extended functional scope enable connection to the S7-300 or S7-400 controllers via VPN. It is also possible to define more detailed security settings and access rights via the integrated firewall. Through this function, the communications processors secure access across the entire plant network. The integrated switch also supports secure connection of the lower-level controllers and HMI and I/O devices," according to the Siemens product announcement.

SCADA experts say the new products are a start, but whether it would stop a Stuxnet-type attack is debatable.

"Siemens officially announced a firewall and VPN solution that should prevent the Stuxnet attack on the S7 PLC ... The obvious question is why didn't Siemens offer a similar capability as a firmware upgrade to the currently deployed systems?" wrote Dale Peterson, founder and CEO of Digital Bond, a SCADA consultancy, in a blog post.

Peterson says the new communications processor for the S7 300 and S7 400 PLCs with firewall and VPN "should prevent an attacker with logical access to the PLC network from uploading rogue ladder logic a la Stuxnet," and the new Simatic NET CP 1628 module for HMI with the firewall and VPN also appears to be able to communicate with S7 PLCs.

Another industry expert who asked not to be named says Siemens' announcements are "baby steps," and that these new features would not have stopped Stuxnet. The other challenge is the long life cycle of SCADA systems, he says. "The next-generation secure controller is going to take a long time before customers move and migrate to a more secure platform," he says.

Neil McDonnell, CEO of WurldTech, says Stuxnet was a wake-up call for all process control vendors -- not just Siemens. "All manufacturers are vulnerable. The approach Siemens has taken and will continue to take is a journey, which is great, starting to build more and better protection into all of their systems and their process control products," McDonnell says. "[Security] is becoming more front and center for them. But that's not to say they didn't do anything before. They've taken the next step in moving it along."

Siemens did not elaborate further on its new products beyond the press release, which also announced a new secure router. "The router is ideal for secure communication to and from distributed automation cells via VPN, such as the supply stations of a water utility company or mobile plants that have to be centrally monitored or controlled remotely from a control center," according to Siemens' announcement.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.