adimas - Fotolia
Security researchers disclosed 54 vulnerabilities in Siemens industrial control systems and while many of the flaws are critical, only three patches are currently available.
Of the 54 disclosed vulnerabilities, 19 affected Siemens ICS SPPA-T3000 application server and 35 affected the MS3000 migration server. Siemens said in its security advisory that three of the application server issues were patched in SPPA-T3000 service pack R8.2 SP1; however, those three flaws were not the most serious of the disclosed issues.
The three patched bugs were information disclosure flaws that would require a threat actor have access to the vulnerable Siemens ICS product and each garnered a CVSSv3.1 score of 5.3. More serious are the 17 remote code execution flaws disclosed, none of which have been patched.
"Exploitation of the vulnerabilities described in this advisory requires access to either Application or Automation Highway," Siemens wrote in its advisory. "Both highways should not be exposed if the environment has been set up according to the recommended system configuration in the Siemens SPPA-T3000 security manual."
Siemens credited Gleb Gritsai, Eugenie Potseluevskaya, Sergey Andreev and Radu Motspan from Kaspersky Lab for discovering 32 of the bugs; Vyacheslav Moskvin and "Ivan B" from Positive Technologies for disclosing 17 flaws; and Can Demirel from Turkish security vendor Biznet Bilisim for five more issues.
Reid Wightman, vulnerability researcher at ICS security firm Dragos, Inc., singled out CVE-2019-18315 as potentially the biggest Siemens ICS risk because "it requires no specialized knowledge of the target protocols, and most adversaries will be familiar with web vulnerabilities."
"It's important to note that this is a distributed control system meant for power generation. Power generation systems tend to provide remote access only via a jump box, or a VPN plus a jump box, and end users should be using multifactor authentication for any remote access to power generation," Wightman told SearchSecurity. "Thankfully Siemens has detailed affected port numbers and services in their advisory. End users can take steps to ensure that they are minimizing their exposure of the affected services, both from their jumpbox and from data historians or other servers which will shuffle plant data to corporate networks."
For the unpatched issues, Siemens suggested customers rely on mitigations described in the security manual, restrict access to vulnerable systems via network isolation or firewall, and perform regular updates.
However, Wightman noted that "patching generation systems is rarely done quickly."
"Historically, applying patches to these systems would only be done during a plant shutdown, and would only be done during a major plant retrofit or scheduled outage. It is for this reason that vendors absolutely must provide a better mechanism for updating," Wightman said. "It takes time to patch these systems, and the patches are unlikely to be deployed right away by any end user -- making the end user aware of the problem, and highlighting the need to protect these vulnerable assets, is worthwhile. I think the advisory does a lot to help end users, even if they can't patch right away."
Wightman added that he generally "views recommendations for network layout with a little suspicion."
"Usually plants are deployed following the guidelines, however plant security may degrade with time -- exceptions to firewall rules are added, and networks are bridged for short-term purposes that end up becoming permanent," Wightman said. "It is for this reason that plant operators should periodically re-assess their network security architecture: walk through the actual plant network and see where additional connections have been made, and review firewall rules and compare to the initial installation."