Every industrial cybersecurity question demands a tailor-made answer and solution. Our focused team of professionals who understand your business are here to assist your company in securing your mission critical facilities to the highest level.
October 2022 – Siemens industrial devices in datacenters vulnerable to hackers
Recently, a research team of the cybersecurity company Claroty discovered a method to extract private encryption keys from Siemens industrial devices and compromise whole Siemens product lines.
According to the researchers, Siemens introduced the practice of storing global hard-coded cryptographic keys a decade ago to guarantee software and hardware integrity. The Munich, Germany-based manufacturer opted to hardcode the credentials to save users and integrators from the complexities of key management systems, which did not exist at the time for industrial systems. However, technological advances and the ever-growing threat landscape made the practice unsafe, posing an unacceptable risk.
The insufficiently protected credentials critical vulnerability CVE-2022-38465 (CVSS 9.3) could allow attackers to discover the global private key by an offline attack. Subsequently, they could perform multiple advanced attacks against Siemens SIMATIC S7-1200, S7-1500 PLCs (Programmable Logic Controllers), and related products, allowing a complete takeover. “The key, if extracted by an attacker, would give them full control over every PLC per affected Siemens product line.” Claroty warned that the attacks could cause irreparable compromise of the impacted industrial devices. “A malicious actor could use this secret information to compromise the entire SIMATIC S7 1200/1500 product line in an irreparable way.”
Claroty had discovered a similar authentication bypass vulnerability CVE-2021-22681 in Rockwell Automation PLCs, allowing a remote attacker to upload code, download data from industrial devices, and potentially install new firmware. This latest detection of vulnerabilities within Siemens PLCs clearly shows that the security of PLCs should be of interest to all users, especially if these PLCs are implemented in critical infrastructures, like datacenters. A threat actor could leverage these vulnerabilities to bypass all protection levels and perform sophisticated attacks on industrial devices, which could be invaluable for nation-state attackers interested in cyber warfare against adversaries’ critical infrastructure.
As a standard operating procedure, Claroty shared its findings with Siemens, which released new versions of the PLCs to address the vulnerability. Additionally, Siemens introduced a new dynamic public-key infrastructure (PKI) that eliminates the practice of hardcoding encryption keys. Subsequently, Siemens also advised organizations to migrate from legacy systems to the new versions. In their security bulletin they describe that an update of the firmware on the device is not sufficient. In addition, the hardware configuration in the TIA Portal project (V17 or later) must also be updated to the corresponding CPU version and downloaded to the PLC. Therefore, it’s recommended to take notice of this Siemens security bulletin, which can be found at https://cert-portal.siemens.com/productcert/html/ssb-898115.html