Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/6/2012
03:46 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Siemens Enhances Security In Post-Stuxnet SCADA World

Firewall, VPN features now embedded in some products as Siemens gradually beefs up its security strategy

Stuxnet was not only bad news for Iran, but also for Siemens, whose process control systems were targeted in the attack that disrupted a nuclear facility in Iran. Since then, Siemens has quietly made several security moves in the wake of Stuxnet's discovery two years ago -- most recently, new industrial control products that come with built-in security features.

Raj Batra, president of industry automation division for Siemens Industry Inc., says the new Simatic CP and Scalance communications processor products with firewall and virtual private network (VPN) features help ratchet up security. But he also warns that there's no "silver bullet" to today's threats. "The introduction of our new Simatic CP and Scalance products only help to bolster Siemens' industrial security portfolio, but as we stress to our customers, there is no silver bullet to cybersecurity threats," Batra says. "Maintaining security is an ongoing process for plants and enterprises requiring collaboration at all levels."

Since Stuxnet, Siemens has been hammered by various security researchers who have poked numerous holes in the manufacturer's products, forcing Siemens to find security religion in a staid industry where air gaps traditionally were assumed enough to protect critical infrastructure. Stuxnet effectively burst that bubble of air gap protection for good, and Siemens has spent the past two years scrambling to shore up security in its products.

"During the past two years, Siemens has made several strategic decisions that have been well-received by both internal and external audiences, including developing new industrial security products and solutions, providing software updates incorporating security enhancements, increasing our communication and collaboration with key partners, including ICS-CERT and other government agencies, as well as the research community," Siemens' Batra says. "We have also developed consultative services to support our customers throughout the life cycle of their products or projects."

[ A look back at one of the industry's most complex attacks -- and the lessons it teaches. See Stuxnet: How It Happened And How Your Enterprise Can Avoid Similar Attacks. ]

One of Siemens' first public moves post-Stuxnet was to send a representative to Black Hat USA last summer to respond at a session exposing embarrassingly simple holes in its programmable logic controllers (PLCs). Researcher Dillon Beresford demonstrated how a backdoor in Siemens S7-300, S7-400, and S7-1200 devices allowed him to get inside and capture passwords and reprogram PLC logic in such a way that he could shut down the systems altogether or cause them to eventually crash. He staged a live demonstration of how he could control the Siemens devices, which are used in power and manufacturing plants worldwide.

Siemens' Thomas Brandstetter, then-acting head of Siemens Product CERT, took the stage at the Black Hat session briefly with Beresford to confirm that Siemens was working on fixing the flaws in its devices. He later said that Siemens had created its CERT eight months before (which was just after Stuxnet) to handle vulnerabilities in its products and to work more closely with the security community.

Since then, Siemens has joined the Software Assurance Forum for Excellence in Code (SAFECode), with the head of its software initiatives Frances Paulisch now a member of SAFECode's board. SAFECode is an industry-led group that promotes best practices in software development and services. Siemens also has been accredited to test its products for Wurldtech's Achilles Communication Certification, a benchmark for security of critical infrastructure products.

But it was Siemens' press release late last month announcing new versions of its Simatic NET CP 343-1 Advanced and Simatic NET CP 443-1 processors -- which now contain a firewall and VPN feature and better secure connections to the Simatic S7-300 and S7-400 controller series -- that caught the attention of SCADA security experts. Still unclear, however, is exactly how the new security features are applicable to the Siemens products that Stuxnet targeted, the Simatic WinCC and PCS 7 systems.

The new security features address secure remote access to process controllers, as well. "The Simatic NET CP 343-1 Advanced and Simatic NET CP 443-1 Advanced communications processors with extended functional scope enable connection to the S7-300 or S7-400 controllers via VPN. It is also possible to define more detailed security settings and access rights via the integrated firewall. Through this function, the communications processors secure access across the entire plant network. The integrated switch also supports secure connection of the lower-level controllers and HMI and I/O devices," according to the Siemens product announcement.

SCADA experts say the new products are a start, but whether it would stop a Stuxnet-type attack is debatable.

"Siemens officially announced a firewall and VPN solution that should prevent the Stuxnet attack on the S7 PLC ... The obvious question is why didn't Siemens offer a similar capability as a firmware upgrade to the currently deployed systems?" wrote Dale Peterson, founder and CEO of Digital Bond, a SCADA consultancy, in a blog post.

Peterson says the new communications processor for the S7 300 and S7 400 PLCs with firewall and VPN "should prevent an attacker with logical access to the PLC network from uploading rogue ladder logic a la Stuxnet," and the new Simatic NET CP 1628 module for HMI with the firewall and VPN also appears to be able to communicate with S7 PLCs.

Another industry expert who asked not to be named says Siemens' announcements are "baby steps," and that these new features would not have stopped Stuxnet. The other challenge is the long life cycle of SCADA systems, he says. "The next-generation secure controller is going to take a long time before customers move and migrate to a more secure platform," he says.

Neil McDonnell, CEO of WurldTech, says Stuxnet was a wake-up call for all process control vendors -- not just Siemens. "All manufacturers are vulnerable. The approach Siemens has taken and will continue to take is a journey, which is great, starting to build more and better protection into all of their systems and their process control products," McDonnell says. "[Security] is becoming more front and center for them. But that's not to say they didn't do anything before. They've taken the next step in moving it along."

Siemens did not elaborate further on its new products beyond the press release, which also announced a new secure router. "The router is ideal for secure communication to and from distributed automation cells via VPN, such as the supply stations of a water utility company or mobile plants that have to be centrally monitored or controlled remotely from a control center," according to Siemens' announcement.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17537
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
CVE-2019-17538
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
CVE-2019-17535
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
CVE-2019-17536
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
CVE-2019-17533
PUBLISHED: 2019-10-13
Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.