Siemens, an industrial security provider, has issued a security advisory for a newly discovered vulnerability (CVE-2018-4850) that could lead to a denial-of-service (DoS).
The affected SIMATIC S7-400 CPUs improperly validate S7 communication packets, which could cause a DoS condition on a CPU. "The CPU will remain in DEFECT mode until manual restart," Siemens wrote.
An attacker only needs to be able to send the packets to a communication interface of the CPU via Ethernet or Process Field Bus (PROFIBUS), for example. No user interaction is needed in order to exploit the vulnerability. As of the security advisory publication on 15 May, there have been no known public exploitations.
The vulnerability, with a CVSS v3.0 base score of 7.5, affects the SIMATIC S7-400 CPU hardware v.4.0 and below, which are being phased out. The products in this family, which are used worldwide, have been designed for process control in industrial environments across the automotive industry and in mechanical equipment manufacturers, warehousing systems, building engineering, the steel industry, power generation and distribution, pharmaceuticals, the food and beverage industry and the chemical industry.
The vulnerability echoes the ongoing discussions about critical infrastructure security, and Andrew Lloyd, president of Corero Network Security, said that Siemens should be applauded for disclosing this vulnerability.
"There is a genuine risk of service disruption, malware infestation and/or safety if control equipment such as these PLCs is exposed on the Internet where the full pandemic of cyber-threats (including DDoS) is there to exploit their vulnerabilities," Lloyd said.
Also vulnerable are all firmware below v.5.2 and SIMANTIC S7-400H CPU hardware v.4.5 and below. For customers that have not yet upgraded their hardware and firmware, Siemens offered additional mitigation strategies. Customers can apply the cell protection concept, use a virtual private network (VPN) for protecting network communication between cells, and apply a defense-in-depth architecture.
"Best practice advice would have the control networks that these PLCs form be completely isolated from the Internet, " said Lloyd. "Older PLC equipment was not designed with Internet exposure in mind. Consequently, many have little or no security to protect them from being compromised."