Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:46 PM
Connect Directly

Siemens Enhances Security In Post-Stuxnet SCADA World

Firewall, VPN features now embedded in some products as Siemens gradually beefs up its security strategy

Stuxnet was not only bad news for Iran, but also for Siemens, whose process control systems were targeted in the attack that disrupted a nuclear facility in Iran. Since then, Siemens has quietly made several security moves in the wake of Stuxnet's discovery two years ago -- most recently, new industrial control products that come with built-in security features.

Raj Batra, president of industry automation division for Siemens Industry Inc., says the new Simatic CP and Scalance communications processor products with firewall and virtual private network (VPN) features help ratchet up security. But he also warns that there's no "silver bullet" to today's threats. "The introduction of our new Simatic CP and Scalance products only help to bolster Siemens' industrial security portfolio, but as we stress to our customers, there is no silver bullet to cybersecurity threats," Batra says. "Maintaining security is an ongoing process for plants and enterprises requiring collaboration at all levels."

Since Stuxnet, Siemens has been hammered by various security researchers who have poked numerous holes in the manufacturer's products, forcing Siemens to find security religion in a staid industry where air gaps traditionally were assumed enough to protect critical infrastructure. Stuxnet effectively burst that bubble of air gap protection for good, and Siemens has spent the past two years scrambling to shore up security in its products.

"During the past two years, Siemens has made several strategic decisions that have been well-received by both internal and external audiences, including developing new industrial security products and solutions, providing software updates incorporating security enhancements, increasing our communication and collaboration with key partners, including ICS-CERT and other government agencies, as well as the research community," Siemens' Batra says. "We have also developed consultative services to support our customers throughout the life cycle of their products or projects."

[ A look back at one of the industry's most complex attacks -- and the lessons it teaches. See Stuxnet: How It Happened And How Your Enterprise Can Avoid Similar Attacks. ]

One of Siemens' first public moves post-Stuxnet was to send a representative to Black Hat USA last summer to respond at a session exposing embarrassingly simple holes in its programmable logic controllers (PLCs). Researcher Dillon Beresford demonstrated how a backdoor in Siemens S7-300, S7-400, and S7-1200 devices allowed him to get inside and capture passwords and reprogram PLC logic in such a way that he could shut down the systems altogether or cause them to eventually crash. He staged a live demonstration of how he could control the Siemens devices, which are used in power and manufacturing plants worldwide.

Siemens' Thomas Brandstetter, then-acting head of Siemens Product CERT, took the stage at the Black Hat session briefly with Beresford to confirm that Siemens was working on fixing the flaws in its devices. He later said that Siemens had created its CERT eight months before (which was just after Stuxnet) to handle vulnerabilities in its products and to work more closely with the security community.

Since then, Siemens has joined the Software Assurance Forum for Excellence in Code (SAFECode), with the head of its software initiatives Frances Paulisch now a member of SAFECode's board. SAFECode is an industry-led group that promotes best practices in software development and services. Siemens also has been accredited to test its products for Wurldtech's Achilles Communication Certification, a benchmark for security of critical infrastructure products.

But it was Siemens' press release late last month announcing new versions of its Simatic NET CP 343-1 Advanced and Simatic NET CP 443-1 processors -- which now contain a firewall and VPN feature and better secure connections to the Simatic S7-300 and S7-400 controller series -- that caught the attention of SCADA security experts. Still unclear, however, is exactly how the new security features are applicable to the Siemens products that Stuxnet targeted, the Simatic WinCC and PCS 7 systems.

The new security features address secure remote access to process controllers, as well. "The Simatic NET CP 343-1 Advanced and Simatic NET CP 443-1 Advanced communications processors with extended functional scope enable connection to the S7-300 or S7-400 controllers via VPN. It is also possible to define more detailed security settings and access rights via the integrated firewall. Through this function, the communications processors secure access across the entire plant network. The integrated switch also supports secure connection of the lower-level controllers and HMI and I/O devices," according to the Siemens product announcement.

SCADA experts say the new products are a start, but whether it would stop a Stuxnet-type attack is debatable.

"Siemens officially announced a firewall and VPN solution that should prevent the Stuxnet attack on the S7 PLC ... The obvious question is why didn't Siemens offer a similar capability as a firmware upgrade to the currently deployed systems?" wrote Dale Peterson, founder and CEO of Digital Bond, a SCADA consultancy, in a blog post.

Peterson says the new communications processor for the S7 300 and S7 400 PLCs with firewall and VPN "should prevent an attacker with logical access to the PLC network from uploading rogue ladder logic a la Stuxnet," and the new Simatic NET CP 1628 module for HMI with the firewall and VPN also appears to be able to communicate with S7 PLCs.

Another industry expert who asked not to be named says Siemens' announcements are "baby steps," and that these new features would not have stopped Stuxnet. The other challenge is the long life cycle of SCADA systems, he says. "The next-generation secure controller is going to take a long time before customers move and migrate to a more secure platform," he says.

Neil McDonnell, CEO of WurldTech, says Stuxnet was a wake-up call for all process control vendors -- not just Siemens. "All manufacturers are vulnerable. The approach Siemens has taken and will continue to take is a journey, which is great, starting to build more and better protection into all of their systems and their process control products," McDonnell says. "[Security] is becoming more front and center for them. But that's not to say they didn't do anything before. They've taken the next step in moving it along."

Siemens did not elaborate further on its new products beyond the press release, which also announced a new secure router. "The router is ideal for secure communication to and from distributed automation cells via VPN, such as the supply stations of a water utility company or mobile plants that have to be centrally monitored or controlled remotely from a control center," according to Siemens' announcement.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-28
** DISPUTED ** SonarQube allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the vendor's position is "it is the administrator's responsibility to configure it."
PUBLISHED: 2020-10-28
An XSS vulnerability in the auto-complete function of the description field (for new or edited transactions) in Firefly III before 5.4.5 allows the user to execute JavaScript via suggested transaction titles. NOTE: this is exploitable only in a non-default configuration where Content Security Policy...
PUBLISHED: 2020-10-28
Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content.
PUBLISHED: 2020-10-28
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form.
PUBLISHED: 2020-10-28
Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template.