Siemens Energy Automation Device Vulnerable to Authentication Bypass

Written by

An authentication bypass vulnerability has been discovered in a Siemens energy automation device—meaning that an attacker can gain control of the device without having to enter login details.

The Siemens SICAM MIC is a universal system suitable for electricity distribution stations, hydro-electric power stations, pipelines, gas distribution stations, railway power supplies and tunnels, and for building protection and alarm sensors.

With the growing pressure on costs in virtually all processes in the energy grid, there is increasing need to also automate smaller stations in order to make better and yet more reliable use of existing equipment. Modern, high-performance automation systems allow the integration of smaller stations to provide universal and reliable management of complex processes. The Siemens SICAM MIC is a small telecontrol system for doing just that, and it performs a number of functions, including letting the LAN talk to the WAN and so on.

But, it’s also connected to the internet for remote administration.

“Attackers with network access to the device’s web interface (Port 80/TCP) could possibly circumvent authentication and perform administrative operations,” ICS-CERT explained in its advisory. “A legitimate user must be logged into the web interface for the attack to be successful.”

The vulnerability could be exploited remotely by an attacker with medium skill, the organization said.

Siemens has provided a firmware update (V2404), which fixes the vulnerability and contains further security improvements. In addition to applying the patch, ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this and other similar vulnerabilities. Specifically, users should: Configure firewall rules to appropriately restrict traffic to affected devices on Port 80/TCP; monitor traffic to affected devices on Port 80/TCP with an intrusion detection system (IDS); minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet; and locate control system networks and remote devices behind firewalls, and isolate them from the business network.

When remote access is required, organizations should use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. 

What’s hot on Infosecurity Magazine?