back to article Ever wonder how hackers could possibly pwn power plants? Here are 54 Siemens bugs that could explain things

Siemens industrial control systems designed specifically for energy plant gear are riddled with dozens of security vulnerabilities that are, luckily enough, tricky to exploit from the outside. The teams at Positive Technologies, Kaspersky Lab, and Biznet Bilisim took credit for finding and reporting 54 CVE-listed flaws in the …

  1. Pascal Monett Silver badge

    So reassuring

    "Both highways should not be exposed if the environment has been set up according to the recommended system configuration in the Siemens SPPA-T3000 security manual."

    Given how often certified electricians can apparently get it wrong when wiring potentially deadly electrical outlets, I'm not sure that Siemens' recommendations are followed as much as we would all like them to be.

    I would be grateful for a rebuttal on that.

    1. This post has been deleted by a moderator

      1. Carpet Deal 'em Bronze badge

        Re: So reassuring

        Fukushima was caused by ignoring multiple analyses over multiple years that the seawall needed to be higher. If people can't take predictable, physical threats seriously, I wouldn't give an industry blanket credit for cybersecurity.

        1. Anonymous Coward
          Anonymous Coward

          Re: So reassuring

          Would've helped if they hadn't built atop an underground spring. And put the backup generators in the subterranean basement. And hey, given that conspiracy nuts drew attention to Stuxnet you'd think Siemen's would be, should be pretty secure by now...

    2. thames

      Re: So reassuring

      SPPA-T3000 is basically a big Java program that runs on a set of MS Windows servers, with operator access being via Windows client workstations. The "highways" are the networks connecting them together and to the plant equipment. It shows equipment status, records performance for analysis, and allows operators to change equipment settings as needed.

      Given that software systems based on similar technologies in more routine business environments seem to have security vulnerabilities being reported all the time, it shouldn't be too surprising that we are seeing some here, even if Siemens goes to great lengths to obfuscate just what their system is.

      Basically though, the security challenges here are in essence the same as in any piece of big enterprise software and there's no reason to expect it to be immune from the same vulnerabilities.

    3. AdamWill

      Re: So reassuring

      In my department we call 'should' the 's-word', and you get raspberries for using it like this...

  2. Rich 11 Silver badge

    Asking the obvious question...

    Siemens recommends administrators lock down the server from any sort of external network access.

    It doesn't take much searching to discover that Siemens offers remote support as an integral part of its tech support package. Ho hum.

    1. Peter Gathercole Silver badge

      Re: Asking the obvious question...

      But do they have high security VPN connections or cryptography secured dedicated lines, so the Internet per se is not involved in support?

      I would hope that these systems should have more than a one-tier firewall to protect their internal networks.

      1. BebopWeBop Silver badge

        Re: Asking the obvious question...

        Hope might be the only option given the 'security' measures employed by many of these sites.

      2. This post has been deleted by a moderator

      3. A random security guy Bronze badge

        Re: Asking the obvious question...

        If you look at VPN related CVE’s you would realize that there is nothing like high security VPN especially if the software is not patched.

      4. John Brown (no body) Silver badge
        Coat

        Re: Asking the obvious question...

        I would hope that these systems should have more than a one-tier firewall to protect their internal networks.

        ...amd is Cisco ir Huawei?

        1. John Brown (no body) Silver badge

          Re: Asking the obvious question...

          "...amd is Cisco ir Huawei?"

          Oh dear! I really should not post comments in the early hours of the morning after being disappointed that the Geminids are again happening behind the cloud cover!

          That comment should, of course, read "and is it Cisco or Huawei?"

          1. TimMaher Bronze badge
            Thumb Up

            Re: Asking the obvious question...

            Also Geminids always hide behind cloud cover. It is part of their allure.

            Was there a bottle of port involved for the cold Winter night?

    2. Anonymous Coward
      Anonymous Coward

      Re: Asking the obvious question...

      This is Siemens standard response to any vulnerability or weakness in any of their products. Rather than actually address things like the communications protocol on one of their main PLC families having been reverse engineered over a decade ago with libraries freely available online, they just say "well the devices should be on an isolated network with controlled access" and then also sell products to allow you to control the devices remotely (albeit with a warning that you're increasing your threat landscape)

    3. This post has been deleted by a moderator

  3. steviebuk Silver badge

    Difficult..

    "So far, Siemens says it has only been able to patch three of the bugs. Siemens recommends administrators lock down the server from any sort of external network access."

    ....with certain software vendors pushing more and more of their stuff to the cloud.

    1. GnuTzu Silver badge

      Re: Difficult..

      "...with certain software vendors pushing more and more of their stuff to the cloud."

      Yup, and...

      ...while serious air-gap environments still have security checkpoints with metal detectors and x-ray and will put your cell phone and USB drives through crushers and dump the fragments in the burn bin if you don't leave those things in the car.

      Why? Because this is exactly what stuxnet is about.

      1. This post has been deleted by a moderator

        1. Anonymous Coward
          Anonymous Coward

          Re: Stuxnet was about ...

          "StuxNet was about allowing "external" things to be connected to your Control Systems, and the consequence of ignoring alarms."

          Care to expand on that?

          Meanwhile, here's Ralph Langner's own analysis, which tallies nicely with what I know about PLC and DCS-based automation and the associated industrial networking, and the nuclear industry, etc. Well worth a look, if folk are not familiar with the story so far:

          https://www.langner.com/stuxnet/

          There's also a llink to a ten minute TED talk (from 2011) by Langner (a good place to start), and other variations on the same theme.

          Other resources can be found via

          https://en.wikipedia.org/wiki/Stuxnet

          1. This post has been deleted by a moderator

      2. TimMaher Bronze badge
        Facepalm

        Re: Difficult..

        Didn’t that FaceBlank HR staffer leave their USB sticks in their car?

        Oh... wait... different thread.

  4. Andy The Hat Silver badge

    Siemens recommends administrators lock down the server from any sort of external network access.

    Errr ... doh! :-) This is a damn infra-structure power plant not an IoT light bulb in Jonny's bedroom, I would hope that's *always* the case.

    1. A random security guy Bronze badge

      In theory, yes. In practice, the said infrastructure can span miles of wiring. The information has to be sent to other systems. Nothing is isolated.

  5. Mike Shepherd
    Meh

    54 security bugs?

    Why do we hear so many reports of "vulnerable to arbitrary code execution", even in safety-critical products? Is it poor-quality staff who don't think beyond "get it working"? Is it poor education about dangers like buffer overflow? Is it because someone is told "Get feature PQR done this week, because feature XYZ should have been ready last month and you need to get on with that"? Probably the same people will write the "fixes": will they be any more reliable than the original?

    1. Alister Silver badge

      Re: 54 security bugs?

      Is it poor-quality staff who don't think beyond "get it working"? Yes

      Is it poor education about dangers like buffer overflow? Yes

      Is it because someone is told "Get feature PQR done this week, because feature XYZ should have been ready last month and you need to get on with that". Yes

      Did I pass?

      1. BebopWeBop Silver badge

        Re: 54 security bugs?

        Yes

      2. Mike Moyle Silver badge

        Re: 54 security bugs?

        You forgot: "Is it because sales has promised bug feature 'X' to the potential customer and the engineers don't find out until after the contract is signed and they have to rush things out without adequate testing to meet the contracted (unrealistic) delivery deadline?"

    2. Crisp

      Re: Is it poor-quality staff who don't think beyond "get it working"?

      In my experience it's usually a manager saying things like "We don't have the time or the budget to do that."

    3. This post has been deleted by a moderator

      1. Anonymous Coward
        Anonymous Coward

        Re: 54 security bugs?

        Given Siemens's association with certain "final solution" products...

    4. Kevin McMurtrie Silver badge

      Re: 54 security bugs?

      It was probably never designed with hardening beyond preventing employees from accidentally performing dangerous unauthorized tasks. Some control systems have so many complex interconnecting components that network isolation is a thousand times easier than hardening the software. Just managing the keystores for everything would drive you mad.

      OK, buffer overflows are always bad because they can happen by accident. I'm just never surprised when there's an ACL bypass or content injection vulnerability in software that was not meant for the WAN side of the Ethernet cables.

  6. Anonymous Coward
    Anonymous Coward

    Production control systems were built before the internet

    When I was implementing systems in a COMAH chemical plant around the millennium it was acknowledged that the control systems had to be air gapped from the rest of the plant network as there was no way the kit could be secured. In effect there we had 3 disparate cabling systems

    The hard wired connections between sensors, machinery and the control room. The cat 3 wired network (yes really) which provided voice and data services to the plant and all offices and the hard wired 50+ year old 'red phone' network which was to be used in the case if an emergency. Needless to say these 3 networks shared ducts along the 1/4 mile long production processing plant the air gap approach did mean that it was necessary to lay serial cab;es hundreds of meters between the control room and tanks to allow the tank levels to be reported. Add in the fact that it was necessary to get feeds on tank levels, flow rates etc into the AS400 Business Planning and control system and we had a bit of a conundrum.

    It was done and I was told it was secure but I had many doubts. Bearing in mind that access to the control room systems could potentially allow the release of large volumes of Chlorine as one of the less nasty ingredients I was glad I lived 20 miles away.

    1. Robert Helpmann?? Silver badge
      Childcatcher

      Re: Production control systems were built before the internet

      ...these 3 networks shared ducts along the 1/4 mile long production processing plant the air gap approach did mean that it was necessary to lay serial cab;es hundreds of meters between the control room and tanks...

      What you describe here is an insecure implementation of an air gapped network. Simply running the cables from different networks beside each other may allow an adversary to pull information across networks.

      1. This post has been deleted by a moderator

        1. TimMaher Bronze badge
          Coat

          Re: Production control systems were built before the internet

          Just like in a James Bond film.

      2. Cynic_999 Silver badge

        Re: Production control systems were built before the internet

        "

        Simply running the cables from different networks beside each other may allow an adversary to pull information across networks.

        "

        I assume you are thinking of crosstalk. That's unlikely to be significant enough to be exploitable on a couple of km of separate twisted-pair cables carrying similar digital signals. Even if it is, any "hacking" would require data to be *pushed* from one cable to another, which is not possible even if the crosstalk is ridiculously high.

        1. Robert Helpmann?? Silver badge
          Childcatcher

          Re: Production control systems were built before the internet

          I assume you are thinking of crosstalk. That's unlikely to be significant enough to be exploitable on a couple of km of separate twisted-pair cables carrying similar digital signals. Even if it is, any "hacking" would require data to be *pushed* from one cable to another, which is not possible even if the crosstalk is ridiculously high.

          Yes, I was referring to crosstalk. Yes, it is exploitable and yes I meant only in the sense of a pull. However, there are other means to push commands to an isolated network and having access to a relatively fast and reliable way to pull info makes that aspect much easier if only by dint of having a means to perform footprinting. If you know what to target on the closed network, it makes it that much easier to put something together that will do the job once you gain access.

          1. This post has been deleted by a moderator

            1. Robert Helpmann?? Silver badge
              Childcatcher

              Re: Production control systems were built before the internet

              ...failing to be able to "shoot the interloper in the head" when detected.

              You say this like this is the best way to stop an intruder. I like the way you think! More seriously, while you bring up a good point concerning allocation of resources, the reality is that there are other ways to avoid cross talk than you describe (the environments I work in use a lot of fiber). Also, the more common ways I am aware of to attack isolated systems are to compromise adjacent systems (which we are talking about here), to get someone who has access to the isolated systems to do so on your behalf (intentionally or otherwise) or to gain physical access themselves. In my experience, the first two are a lot more common. If information can flow in either direction, the isolated systems aren't as isolated as all that. If you are trying to prevent changes from being made, which seems to be the main concern in the example given by the AC above, then cross talk may be less of a concern. If the danger is leaking data to competitors, that's a different story.

              Your point raises another question. If it is worth isolating assets, what is the best way to deal with a previous implementation that you do not feel does the job properly?

              1. This post has been deleted by a moderator

    2. Anonymous Coward
      Anonymous Coward

      Re: Production control systems were built before the internet

      Tank levels? Release of large volumes of unpleasantness? Does Buncefield ring any bells? And Buncefield was an "accident" (or maybe an accident waiting to happen: see e.g. https://www.hse.gov.uk/comah/buncefield/buncefield-report.pdf

      Lack of competence can do a lot of harm. So can complacency.

      On the afternoon after it happened, and before I knew what had happened, I was on the road in south Oxfordshire heading north for the Midlands. Buncefield was 50 miles away, but the smoke cloud still managed to fill half the sky. Never seen anything like it, never want to again. Good job it happened at a weekend.

    3. Alsibbo

      Re: Production control systems were built before the internet

      The magic 2 wire serial cable trick here - only connect GND and TX on the secure system and GND and RX on AS400 side....

  7. imanidiot Silver badge

    What works shall remain

    The problem with industrial hardware is that much of it HAS to work with the 30 year old (or older) predecessor. Especially for things like PLCs this means a lot of them are bodge jobs with a lot of baggage from previous implementations that we NOW know to be insufficiently protected (But were considered good enough in the past). It's VERY hard moving away to completely new systems in any plant that already exists.

    The best that can be done is proper air-gapping and a security conscious implementation of network access protocols. If getting on the network requires physical access you can provide more lines of defense in the form of (as called above) Guards, Guns and Gates. There's a reason you'd get rugby tackled in many chemical plants if you carry around a laptop within the security boundry without the proper credentials. Paranoid doesn't begin to cover it in some instances.

  8. Palpy

    Optimal design is often a unicorn.

    In my experience in the field, real-world design --

    -- may have to run machine-level kit which uses decades-old software;

    -- may compromise security to facilitate process data handling across networks;

    -- may come under pressure from management to permit remote or wireless monitoring-and-control;

    -- may have to implement back compatibility in order to interface with existing control subsystems.

    And so forth.

    I hope that when commentard kmedcalf wrote, "It is highly unlikely that the Systems Engineers or Instrumentation will get it wrong" he or she was being sarcastic. For one example, Boeing system engineers and instrumentation experts certainly managed to "get it wrong" multiple times in designing the control automation for the 737 Max.

    1. This post has been deleted by a moderator

  9. Will Godfrey Silver badge
    Unhappy

    Ah, that old favouite turns up again

    Have a guess which make of PLC controls almost all the traffic lights in the UK.

    And while you're at it guess what the primary factor in the decision was.

    {hint: it's not quality}

  10. John Smith 19 Gold badge
    Joke

    Translation

    Thanks for telling people about the vulns.

    Yeah, we're not bothered. Just make sure its not connected to the Intenet and you're golden

    Merry Christmas. We're off to put our feet up and munch a nice slab of Stollen.

  11. Triumphantape

    My question has always been why are they online and accessible to hackers? Critical infrastructure components should have their own lines dropped, a closed system.

    1. This post has been deleted by a moderator

  12. Anonymous Coward
    Anonymous Coward

    Having seen many PLCs and allegedly industrially hardened IT over the years; examples where they are really hardened seem to be few and far between.

    Siemens are certainly not the only culprit in this arena. Leaving wide attack surfaces seems to be a common feature of almost all current PLC; for inevitably the PLC itself is attached to a Windows box for "user interface". I've seen XP boxes being installed as late as 2015 as UI to a PLC. Not even the embedded edition!

    Some would argue that airgapping is a defence, but one well placed USB stick soon beats that. And don't mention the difficulties of patching an air-gapped, USB-banned network.

    1. This post has been deleted by a moderator

      1. Anonymous Coward
        Anonymous Coward

        There's a reason we used to hot glue gun the serial ports on the airgapped network...

      2. Anonymous Coward
        Anonymous Coward

        There is of course an obvious solution to pluggable media vuln. WORM media of known provenance plus physical security on the recieving device. USB is just the most obvious target because it's rather convenient

        1. This post has been deleted by a moderator

  13. PeterM42
    Trollface

    Apply the patches

    And nothing ca go wrong.......

    go wrong.......

    go wrong.......

    go wrong.......

    go wrong.......

    go wrong.......

    go wrong.......

    go wrong.......

    go wrong.......

    1. This post has been deleted by a moderator

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020