The software is of the industrial control variety, and is used to control an assortment of drives, especially in mechanical engineering and plant construction. It also interacts with motion controllers that are used to coordinate synchronous operations or complex technology functions.
“Impact to individual organizations depends on many factors that are unique to each organization,” ICS-CERT noted in an advisory on the subject. “NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture and product implementation.
The vulnerability, CVE-2013-6920b, opens SINAMICS S/G open ports and services (FTP 21/TCP and Telnet 23/TCP) to attackers without authentication.
No known public exploits specifically target this vulnerability, and Siemens has issued a firmware update, SINAMICS S/G V4.6.11 and 4.7, to resolve the issue.
Organizations can take additional defensive measures to protect against this and other cybersecurity risks by simply minimizing network exposure for all control system devices. Critical devices should never directly face the internet. At the very least, control system networks and remote devices should be placed behind firewalls, and isolate them from the business network.
“When remote access is required, use secure methods, such as VPNs, recognizing that VPN is only as secure as the connected devices,” ICS-CERT said.
“As a general security measure Siemens strongly recommends to protect network access to the interface of SINAMICS S/G with appropriate mechanisms. It is advised to follow recommended security practices and to configure the environment according to operational guidelines in order to run the devices in a protected IT environment,” the Siemens advisory added.
ICS flaws continue to worry researchers. Further, “It is imperative for this sector to get a handle on system hardening and configuration management practices to improve security and reliability,” said Dwayne Melancon, CTO for Tripwire. "But in this regard though, the industrial sector is less effective than other industries in deploying risk management controls and communicating effectively about security."