Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/6/2012
03:46 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Siemens Enhances Security In Post-Stuxnet SCADA World

Firewall, VPN features now embedded in some products as Siemens gradually beefs up its security strategy

Stuxnet was not only bad news for Iran, but also for Siemens, whose process control systems were targeted in the attack that disrupted a nuclear facility in Iran. Since then, Siemens has quietly made several security moves in the wake of Stuxnet's discovery two years ago -- most recently, new industrial control products that come with built-in security features.

Raj Batra, president of industry automation division for Siemens Industry Inc., says the new Simatic CP and Scalance communications processor products with firewall and virtual private network (VPN) features help ratchet up security. But he also warns that there's no "silver bullet" to today's threats. "The introduction of our new Simatic CP and Scalance products only help to bolster Siemens' industrial security portfolio, but as we stress to our customers, there is no silver bullet to cybersecurity threats," Batra says. "Maintaining security is an ongoing process for plants and enterprises requiring collaboration at all levels."

Since Stuxnet, Siemens has been hammered by various security researchers who have poked numerous holes in the manufacturer's products, forcing Siemens to find security religion in a staid industry where air gaps traditionally were assumed enough to protect critical infrastructure. Stuxnet effectively burst that bubble of air gap protection for good, and Siemens has spent the past two years scrambling to shore up security in its products.

"During the past two years, Siemens has made several strategic decisions that have been well-received by both internal and external audiences, including developing new industrial security products and solutions, providing software updates incorporating security enhancements, increasing our communication and collaboration with key partners, including ICS-CERT and other government agencies, as well as the research community," Siemens' Batra says. "We have also developed consultative services to support our customers throughout the life cycle of their products or projects."

[ A look back at one of the industry's most complex attacks -- and the lessons it teaches. See Stuxnet: How It Happened And How Your Enterprise Can Avoid Similar Attacks. ]

One of Siemens' first public moves post-Stuxnet was to send a representative to Black Hat USA last summer to respond at a session exposing embarrassingly simple holes in its programmable logic controllers (PLCs). Researcher Dillon Beresford demonstrated how a backdoor in Siemens S7-300, S7-400, and S7-1200 devices allowed him to get inside and capture passwords and reprogram PLC logic in such a way that he could shut down the systems altogether or cause them to eventually crash. He staged a live demonstration of how he could control the Siemens devices, which are used in power and manufacturing plants worldwide.

Siemens' Thomas Brandstetter, then-acting head of Siemens Product CERT, took the stage at the Black Hat session briefly with Beresford to confirm that Siemens was working on fixing the flaws in its devices. He later said that Siemens had created its CERT eight months before (which was just after Stuxnet) to handle vulnerabilities in its products and to work more closely with the security community.

Since then, Siemens has joined the Software Assurance Forum for Excellence in Code (SAFECode), with the head of its software initiatives Frances Paulisch now a member of SAFECode's board. SAFECode is an industry-led group that promotes best practices in software development and services. Siemens also has been accredited to test its products for Wurldtech's Achilles Communication Certification, a benchmark for security of critical infrastructure products.

But it was Siemens' press release late last month announcing new versions of its Simatic NET CP 343-1 Advanced and Simatic NET CP 443-1 processors -- which now contain a firewall and VPN feature and better secure connections to the Simatic S7-300 and S7-400 controller series -- that caught the attention of SCADA security experts. Still unclear, however, is exactly how the new security features are applicable to the Siemens products that Stuxnet targeted, the Simatic WinCC and PCS 7 systems.

The new security features address secure remote access to process controllers, as well. "The Simatic NET CP 343-1 Advanced and Simatic NET CP 443-1 Advanced communications processors with extended functional scope enable connection to the S7-300 or S7-400 controllers via VPN. It is also possible to define more detailed security settings and access rights via the integrated firewall. Through this function, the communications processors secure access across the entire plant network. The integrated switch also supports secure connection of the lower-level controllers and HMI and I/O devices," according to the Siemens product announcement.

SCADA experts say the new products are a start, but whether it would stop a Stuxnet-type attack is debatable.

"Siemens officially announced a firewall and VPN solution that should prevent the Stuxnet attack on the S7 PLC ... The obvious question is why didn't Siemens offer a similar capability as a firmware upgrade to the currently deployed systems?" wrote Dale Peterson, founder and CEO of Digital Bond, a SCADA consultancy, in a blog post.

Peterson says the new communications processor for the S7 300 and S7 400 PLCs with firewall and VPN "should prevent an attacker with logical access to the PLC network from uploading rogue ladder logic a la Stuxnet," and the new Simatic NET CP 1628 module for HMI with the firewall and VPN also appears to be able to communicate with S7 PLCs.

Another industry expert who asked not to be named says Siemens' announcements are "baby steps," and that these new features would not have stopped Stuxnet. The other challenge is the long life cycle of SCADA systems, he says. "The next-generation secure controller is going to take a long time before customers move and migrate to a more secure platform," he says.

Neil McDonnell, CEO of WurldTech, says Stuxnet was a wake-up call for all process control vendors -- not just Siemens. "All manufacturers are vulnerable. The approach Siemens has taken and will continue to take is a journey, which is great, starting to build more and better protection into all of their systems and their process control products," McDonnell says. "[Security] is becoming more front and center for them. But that's not to say they didn't do anything before. They've taken the next step in moving it along."

Siemens did not elaborate further on its new products beyond the press release, which also announced a new secure router. "The router is ideal for secure communication to and from distributed automation cells via VPN, such as the supply stations of a water utility company or mobile plants that have to be centrally monitored or controlled remotely from a control center," according to Siemens' announcement.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.