Siemens PLCs Still Vulnerable to Stuxnet-Like Cyberattacks

Programmable logic controllers that were vulnerable to the Stuxnet attack are still in use globally and rarely have security controls deployed - meaning they're still at risk. More than 10 years after Stuxnet, new research shows users rarely switch on security controls such as using passwords, and feel updates are too cumbersome to be applied. Colin Finck, tech lead of reverse engineering and connectivity at Enlyze, says the Siemens proprietary protocol which is used to read and write data as well as to program the S7 PLC. However, this is only protected by obfuscation, which the researchers were able to bypass. Finck and his colleague Tom Dohrmann, software engineer, reverse engineering and connectivity, will present their findings at Black Hat Europe in London next week, in a talk titled "A Decade After Stuxnet: How Siemens S7 Is Still an Attacker's Heaven." Still Feeling the Stuxnet Effects In the 2010 attack, the Stuxnet attackers exploited several zero-day vulnerabilities in Microsoft Windows to ultimately gain access to Siemens software and the PLCs. This was done to gain access to and effectively damage high-speed centrifuges at the Iranian Bushehr nuclear power plant. The impact of Stuxnet was huge, as it remotely damaged around a thousand centrifuges, and the worm's controllers were also able to analyze communication protocols between the PLCs to exploit further technological weaknesses. It also paved the way for things to come: After Stuxnet, a number of industrial control-related attacks were detected over the years, including BlackEnergy and Colonial Pipeline. Finck tells Dark Reading that after the Stuxnet attacks took place, Siemens developed a revised protocol for the PLCs that added "Lots of obfuscation and cryptography layers." However, the researchers in recent probing were able to bypass that obfuscation to give them the ability to read and write instructions for the PLCs, and ultimately stop the controller working in a proof of concept. A statement from Siemens sent to Dark Reading acknowledged that the levels of obfuscation do not offer enough security, and a Security Bulletin from October 2022 stated that two of the PLCs "Use a built-in global private key which cannot be considered anymore as sufficiently protected." The statement added: "Siemens has deprecated this previous version of the communication protocol and encourages everyone to migrate to V17 or later to enable the new TLS -based communication protocol." Improved Firmware That most recent Siemens firmware released in 2022 does include TLS, but Finck claims there is no "Long-term service for cybersecurity issues" and calls for Siemens to provide better means to update firmware "Because right now, it's wide open to anybody who could just access it over the Internet." In its statement, Siemens said it is aware of the talk scheduled for Black Hat Europe and stated that the talk "Will describe the details of the legacy PG/PC and HMI communication protocol as used between TIA Portal/HMIs and SIMATIC S7-1500 SW Controller in versions before V17.". The company stated that no previously unknown security vulnerabilities will be disclosed in this talk and that Siemens is in close coordination with the researchers. Applying client authentication using strong and individual access level passwords. Migrating to V17 or later to enable the new TLS-based communication protocol for all SIMATIC S7-1200/1500 PLCs including SW Controller. Implementing the defense-in-depth approach for plant operations and configure the environment according to Siemens operational guidelines for industrial security. Though the researchers praised the response by Siemens, they noted that PLC firmware is rarely updated by users, "And there's not an established update process to quickly roll out [updates] to a fleet of machines." Finck says doing updates is "Probably a tedious manual process to walk to every machine, plug something in and update the firmware," and thus, Siemens needs to offer better update processes so customers have an incentive to deploy those updates. In the meantime, he says, "You better not have a direct connection to all PLCs right now, due to the aforementioned security problems."

This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 20:25:01 +0000


Cyber News related to Siemens PLCs Still Vulnerable to Stuxnet-Like Cyberattacks

Siemens PLCs Still Vulnerable to Stuxnet-Like Cyberattacks - Programmable logic controllers that were vulnerable to the Stuxnet attack are still in use globally and rarely have security controls deployed - meaning they're still at risk. More than 10 years after Stuxnet, new research shows users rarely switch ...
10 months ago Darkreading.com
Dutch Engineer Used Water Pump to Get Billion-Dollar Stuxnet Malware Into Iranian Nuclear Facility: Report - A Dutch engineer recruited by the country's intelligence services used a water pump to deploy the now-infamous Stuxnet malware in an Iranian nuclear facility, according to a two-year investigation conducted by Dutch newspaper De Volkskrant. Stuxnet, ...
9 months ago Securityweek.com
IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities - SUMMARY. The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, National Security Agency, Environmental Protection Agency, and the Israel National Cyber Directorate-hereafter referred to as "The authoring agencies"-are ...
10 months ago Cisa.gov
US offering $15m for info on ALPHV/Blackcat ransomware crew The Register - Infosec in brief The US government is offering bounties up to $15 million as a reward for anyone willing to help it take out the APLHV/Blackcat ransomware gang. ALPHV has made a habit of going after critical infrastructure targets, and last week ...
7 months ago Go.theregister.com
US, Israel Used Dutch Spy to Launch Stuxnet Malware Against Iran - After a two-year investigation into the details surrounding the Stuxnet virus, unleashed in 2008 against the Iranian nuclear program, journalists with Dutch newspaper Volkskrant have released a report saying the malware cost $1 billion to develop. ...
9 months ago Darkreading.com
ICS Patch Tuesday: Siemens Ruggedcom Devices Impacted by 45 Fortinet Vulnerabilities - Siemens and Schneider Electric have published their March 2024 Patch Tuesday security advisories, which cover more than 200 vulnerabilities affecting their products. Siemens has published 11 new advisories describing a total of 214 vulnerabilities. A ...
7 months ago Securityweek.com
Siemens SCALANCE and RUGGEDCOM M-800/S615 Family - As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT ...
9 months ago Cisa.gov
ICS Patch Tuesday: Electromagnetic Fault Injection, Critical Redis Vulnerability - Siemens and Schneider Electric have published their Patch Tuesday advisories for December 2023, addressing dozens of vulnerabilities affecting their products. Siemens has published 12 advisories that cover more than 30 vulnerabilities. The industrial ...
10 months ago Securityweek.com
Analysis of OT cyberattacks and malwares - Let's find the answer to all the questions by looking into some history of OT attacks and malware. We systematically categorize the attacks into direct and indirect vectors. Direct attacks are those that target OT systems through the exploitation of ...
9 months ago Securityboulevard.com
Understanding Each Link of the Cyberattack Impact Chain - It's often difficult to fully appreciate the impact of a successful cyberattack. Other consequences aren't so obvious - from a loss of customer trust and potential business to stolen data that may surface as part of another cyberattack years later. ...
10 months ago Securityboulevard.com
CyberAv3ngers hit Unitronics PLCs at multiple US-based water facilities - Iran-affiliated attackers CyberAv3ngers continue to exploit vulnerable Unitronics programmable logic controllers, US and Israeli authorities have said in a joint cybersecurity advisory. CyberAv3ngers targeting Unitronics PLCs. CISA has recently ...
10 months ago Helpnetsecurity.com
ICS at Multiple US Water Facilities Targeted by Hackers Affiliated With Iranian Government - The hackers behind recent cyberattacks targeting industrial control systems at water facilities in the US are affiliated with the Iranian government, according to security agencies in the United States and Israel. The FBI, CISA, the NSA, the EPA and ...
10 months ago Securityweek.com
CVE-2018-4846 - A vulnerability has been identified in RAPIDLab 1200 systems / RAPIDPoint 400 systems / RAPIDPoint 500 systems (All versions_without_ use of Siemens Healthineers Informatics products), RAPIDLab 1200 Series (All versions < V3.3 _with_ Siemens ...
5 years ago
CVE-2018-4845 - A vulnerability has been identified in RAPIDLab 1200 systems / RAPIDPoint 400 systems / RAPIDPoint 500 systems (All versions_without_ use of Siemens Healthineers Informatics products), RAPIDLab 1200 Series (All versions < V3.3 _with_ Siemens ...
1 year ago
Vulnerabilities in Siemens License Manager Enable Cyberattacks on Industrial Control Systems - The industrial cybersecurity firm Otorio has discovered two serious vulnerabilities in the Siemens Automation License Manager (ALM) which could be used to hack industrial control systems. On January 10, Siemens released a patch to address the 20 ...
1 year ago Securityweek.com
Hackers breach US water facility via exposed Unitronics PLCs - CISA is warning that threat actors breached a U.S. water facility by hacking into Unitronics programmable logic controllers exposed online. PLCs are crucial control and management devices in industrial settings, and hackers compromising them could ...
10 months ago Bleepingcomputer.com
Cyber Insights 2023: ICS and Operational Technology - The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. At the same time, ICS/OT is facing an expanding attack surface caused by ...
1 year ago Securityweek.com
MongoDB issues weekend warning of breach The Register - Critical vulnerabilities: The not-patch-Tuesday list. As is usually the case this time of month, the most pressing vulnerabilities of recent days were revealed/patched in Patch Tuesday releases. CVSS 9.8 - So many CVEs: Siemens SIMATIC S7-1500 CPU ...
9 months ago Go.theregister.com
Pro-Iran Attackers Access Multiple Water Facility Controllers - Critical infrastructure in multiple US states may have been compromised by Iran-affiliated attackers targeting programmable logic controllers. A warning from the FBI, Cybersecurity and Infrastructure Security Agency, National Security Agency, the ...
10 months ago Darkreading.com
Q&A: The Cybersecurity Training Gap in Industrial Networks - Cyberattacks on critical infrastructure are steadily increasing, driven by geopolitical conflicts as well as the longtime problem of poorly secured devices that remain exposed and unprotected on the public Internet. Irfan Shakeel, the Dubai-based ...
7 months ago Darkreading.com
ChatGPT side-channel attack has easy fix: token obfuscation The Register - In brief Almost as quickly as a paper came out last week revealing an AI side-channel vulnerability, Cloudflare researchers have figured out how to solve it: just obscure your token size. The paper [PDF], from researchers at the Offensive AI ...
6 months ago Go.theregister.com
Multiple colleges, K-12 schools facing outages after cyberattacks - Several K-12 schools, colleges and universities are dealing with significant technology outages due to cyberattacks this week. A spokesperson for North Carolina Central University told Recorded Future News that the school was alerted to a cyberattack ...
10 months ago Therecord.media
Trends: Hardware gets AI updates in 2024 - This includes the use of specialized neural engines in devices like the iPhone 15 Pro, which are optimized for AI tasks such as machine learning and natural language processing. This configuration allows for new experiences such as real-time AI image ...
1 week ago Securityintelligence.com
Mideast Oil & Gas Facilities Could Face Cyber-Related Energy Disruptions - Middle East oil and gas operators will need to be vigilant about the risk of cyberattacks as the Israel-Gaza conflict continues, security experts warn, or else risk energy supply disruption globally. A recent report by S&P Global Ratings found that ...
10 months ago Darkreading.com
Siemens, Schneider Electric Release First ICS Patch Tuesday Advisories of 2024 - On the first Patch Tuesday of 2024, industrial giants Siemens and Schneider Electric have released a total of only seven new security advisories, announcing fixes for 22 vulnerabilities. Siemens has published six new advisories covering 21 ...
9 months ago Securityweek.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)