Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/6/2012
03:46 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Siemens Enhances Security In Post-Stuxnet SCADA World

Firewall, VPN features now embedded in some products as Siemens gradually beefs up its security strategy

Stuxnet was not only bad news for Iran, but also for Siemens, whose process control systems were targeted in the attack that disrupted a nuclear facility in Iran. Since then, Siemens has quietly made several security moves in the wake of Stuxnet's discovery two years ago -- most recently, new industrial control products that come with built-in security features.

Raj Batra, president of industry automation division for Siemens Industry Inc., says the new Simatic CP and Scalance communications processor products with firewall and virtual private network (VPN) features help ratchet up security. But he also warns that there's no "silver bullet" to today's threats. "The introduction of our new Simatic CP and Scalance products only help to bolster Siemens' industrial security portfolio, but as we stress to our customers, there is no silver bullet to cybersecurity threats," Batra says. "Maintaining security is an ongoing process for plants and enterprises requiring collaboration at all levels."

Since Stuxnet, Siemens has been hammered by various security researchers who have poked numerous holes in the manufacturer's products, forcing Siemens to find security religion in a staid industry where air gaps traditionally were assumed enough to protect critical infrastructure. Stuxnet effectively burst that bubble of air gap protection for good, and Siemens has spent the past two years scrambling to shore up security in its products.

"During the past two years, Siemens has made several strategic decisions that have been well-received by both internal and external audiences, including developing new industrial security products and solutions, providing software updates incorporating security enhancements, increasing our communication and collaboration with key partners, including ICS-CERT and other government agencies, as well as the research community," Siemens' Batra says. "We have also developed consultative services to support our customers throughout the life cycle of their products or projects."

[ A look back at one of the industry's most complex attacks -- and the lessons it teaches. See Stuxnet: How It Happened And How Your Enterprise Can Avoid Similar Attacks. ]

One of Siemens' first public moves post-Stuxnet was to send a representative to Black Hat USA last summer to respond at a session exposing embarrassingly simple holes in its programmable logic controllers (PLCs). Researcher Dillon Beresford demonstrated how a backdoor in Siemens S7-300, S7-400, and S7-1200 devices allowed him to get inside and capture passwords and reprogram PLC logic in such a way that he could shut down the systems altogether or cause them to eventually crash. He staged a live demonstration of how he could control the Siemens devices, which are used in power and manufacturing plants worldwide.

Siemens' Thomas Brandstetter, then-acting head of Siemens Product CERT, took the stage at the Black Hat session briefly with Beresford to confirm that Siemens was working on fixing the flaws in its devices. He later said that Siemens had created its CERT eight months before (which was just after Stuxnet) to handle vulnerabilities in its products and to work more closely with the security community.

Since then, Siemens has joined the Software Assurance Forum for Excellence in Code (SAFECode), with the head of its software initiatives Frances Paulisch now a member of SAFECode's board. SAFECode is an industry-led group that promotes best practices in software development and services. Siemens also has been accredited to test its products for Wurldtech's Achilles Communication Certification, a benchmark for security of critical infrastructure products.

But it was Siemens' press release late last month announcing new versions of its Simatic NET CP 343-1 Advanced and Simatic NET CP 443-1 processors -- which now contain a firewall and VPN feature and better secure connections to the Simatic S7-300 and S7-400 controller series -- that caught the attention of SCADA security experts. Still unclear, however, is exactly how the new security features are applicable to the Siemens products that Stuxnet targeted, the Simatic WinCC and PCS 7 systems.

The new security features address secure remote access to process controllers, as well. "The Simatic NET CP 343-1 Advanced and Simatic NET CP 443-1 Advanced communications processors with extended functional scope enable connection to the S7-300 or S7-400 controllers via VPN. It is also possible to define more detailed security settings and access rights via the integrated firewall. Through this function, the communications processors secure access across the entire plant network. The integrated switch also supports secure connection of the lower-level controllers and HMI and I/O devices," according to the Siemens product announcement.

SCADA experts say the new products are a start, but whether it would stop a Stuxnet-type attack is debatable.

"Siemens officially announced a firewall and VPN solution that should prevent the Stuxnet attack on the S7 PLC ... The obvious question is why didn't Siemens offer a similar capability as a firmware upgrade to the currently deployed systems?" wrote Dale Peterson, founder and CEO of Digital Bond, a SCADA consultancy, in a blog post.

Peterson says the new communications processor for the S7 300 and S7 400 PLCs with firewall and VPN "should prevent an attacker with logical access to the PLC network from uploading rogue ladder logic a la Stuxnet," and the new Simatic NET CP 1628 module for HMI with the firewall and VPN also appears to be able to communicate with S7 PLCs.

Another industry expert who asked not to be named says Siemens' announcements are "baby steps," and that these new features would not have stopped Stuxnet. The other challenge is the long life cycle of SCADA systems, he says. "The next-generation secure controller is going to take a long time before customers move and migrate to a more secure platform," he says.

Neil McDonnell, CEO of WurldTech, says Stuxnet was a wake-up call for all process control vendors -- not just Siemens. "All manufacturers are vulnerable. The approach Siemens has taken and will continue to take is a journey, which is great, starting to build more and better protection into all of their systems and their process control products," McDonnell says. "[Security] is becoming more front and center for them. But that's not to say they didn't do anything before. They've taken the next step in moving it along."

Siemens did not elaborate further on its new products beyond the press release, which also announced a new secure router. "The router is ideal for secure communication to and from distributed automation cells via VPN, such as the supply stations of a water utility company or mobile plants that have to be centrally monitored or controlled remotely from a control center," according to Siemens' announcement.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.