Siemens Offers Workarounds for Newly Found PLC Vulnerability

Siemens Offers Workarounds for Newly Found PLC Vulnerability

An undocumented hardware-based special access feature recently found by researchers in Siemens’ S7-1200 can be used by attackers to gain control of the industrial devices.

Siemens recently issued a security advisory with workarounds and mitigations for a vulnerability uncovered by researchers in its S7-1200 programmable logic controllers (PLCs) that could be used to bypass a firmware integrity check to load malware or hijack the industrial processes of the devices.

Researchers from Ruhr University Bochum in Germany found an undocumented hardware-based special access feature in Siemens’ S7-1200 PLCs while studying its bootloader, which handles software updates and verifies the integrity of the PLC’s firmware when the device starts up.

Ali Abbasi, a research scholar at Ruhr-University Bochum, doctoral student Tobias Scharnowski, and professor Thorsten Holz will present their findings this week in London at Black Hat Europe. The researchers alerted Siemen, which says it plans to fix the flaw.

It’s unclear whether the flaw can be fixed in software or if it requires a hardware swap, according to Abbasi, and the researchers are not sure if additional models of the PLC also are affected.

In a statement in response to an inquiry on the nature of the fix, Siemens said it’s still working on the issue, pointing to the SSA-686531 advisory it released late last month. “We are in the process of reviewing our product models and will post updates to SSA-686531 if further models are affected,” Siemens said. “With respect to a final solution, Siemens experts continue to work on the issue. Siemens provided workarounds and mitigations within the Siemens Security Advisory (SSA-686531) and Siemens will update the document when a final solution is available.”

Abassi and his fellow researchers also found that the special access feature in the PLCs could also be used for good: as a forensic tool for defenders. They employed the feature to view the contents of the PLC’s memory, so a plant operator could also use it to find malicious code on the device, for example.

Check outĀ The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “A Cause You Care About Needs Your Cybersecurity Help.”

Kelly Jackson Higgins is the Executive EditorĀ of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Leave a comment

Contact Us


[contact-form-7 id="4" title="Contact form 1"]
Email

ops@opsec.asia

Address

Singapore CBD

Phone-no

+65 8714 2780