Independent ICS security researcher Gao Jian recently discovered new vulnerabilities which can allow hackers to remotely crash Siemens PLCs.
The vulnerabilities have been reported to the vendor and Siemens has issued nine advisories which among other vulnerabilities describe three high severity flaws which could potentially be exploited remotely by unauthenticated attackers to perform denial-of-service (DoS) attacks against some programmable logic controllers (PLCs).
Affected Models
Siemens says the flaws impact SIMATIC S7-1200 and S7-1500 PLCs, SIMATIC Drive Controller, ET 200SP Open Controller, S7-1500 Software Controller, SIMATIC S7-PLCSIM Advanced, the TIM 1531 IRC communication module, as well as SIPLUS extreme products.
Attack Method and Vector
The “S7+:Crash” vulnerabilities can be exploited by a threat actor who has access to the targeted device on TCP port 102. Exploitation directly from the internet may also be possible if the PLC is exposed due to a misconfiguration.
According to Gao Jian, even if the SIMATIC products are enabled with access protection and secure communication (TLS encryption) these vulnerabilities cannot be mitigated, and there is no firewall capable of parsing the S7CommPlus_TLS protocol, making it very difficult to prevent such attacks.
Gao Jian has published a video showing an exploitation demo.
![[CVE-2021-37185] S7-1500 denial-of-service Demo](https://i.ytimg.com/vi/XNDo0iAaT14/hqdefault.jpg)
OT Assets Not Given the Appropriate Attention Like IT Assets
Operational Technology (OT) is challenging to manage, especially when it comes to software patching.
According to a recent study from SANS Institute, while more than 91% of organizations include on-premises information technology (IT) infrastructure assets in their existing or planned vulnerability program, just 23% do the same for their OT assets.
OT Vulnerability Management is Challenging
When comparing vulnerability management in IT vs. OT environments the biggest risks lie in different areas. In OT for example:
- Downtime tolerance is slim to none
- Active scanning is frequently problematic
- Vendors hold a lot of control
- There are exceedingly long patch cycles
- Legacy systems are entrenched
- Unique, fit-for-purpose hardware and software prevails
- Patch installation and tracking is highly manual
Danger to Human Life
In industrial environments, crashing a PLC or other OT devices can have catastrophic effects. Apart from disruption of operations, human lifes could potentially be in danger in cases of failure or malfunction of PLCs.
The Rise of Killware if real. Organizations should catalogue their SCADA, DCS, PLCs and other operational technology devices in order to have complete visibility of their environments, perform accurate risk assessments and select and apply the appropriate security controls.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
