On January 10, 2023, researchers at the embedded device security firm Red Balloon Security released their findings after studying the Siemens S7-1500 Programmable Logic Controller (PLC) for a year.
They were able to evaluate the Siemens PLC firmware, by taking advantage of an error in the cryptography for the firmware, which is burned into the PLC’s dedicated ATECC CryptoAuthentication chip, and Siemens is not offering a fix other than replacing the hardware with a newer version.
Having a vulnerable asset in an Industrial Control System (ICS) is common. ICS is normally made up of assets of multiple generations. The average piece of equipment is expected to last for a decade or more, and it is unreasonable to believe that the technology built ten years ago was constructed in a way that would allow it to be constantly updated to current technology without replacement.
Understanding the Siemens PLC Firmware Vulnerability
What makes this a bit more complicated is the prevalence of the Siemens S7 PLCs in production. The S7-1500 is one of the most popular PLCs and is a critical asset in everything from manufacturing to energy production to oil and gas pipelines. The researchers say that in order to take advantage of this flaw, you must physically access these Siemens PLCs. However, we have seen in the past other flaws that required physical access exploited in the wild (Stuxnet), and in an ever-connected world, the lanes of communication are more open than ever.
This just reinforces that every customer should have in place a system to identify every asset, understand the risk and vulnerabilities of the asset and monitor every network connection made to and from each asset.
Asset visibility is at the core of any security solution. You can’t protect what you do not know about. And in this case, it is dire to understand every asset that accesses a vulnerable S7-1500 PLC from Siemens, to understand what that asset is, who is using it, what applications are being utilized to communicate, what protocols are in place, and most importantly, is the S7-1500 doing things beyond what it normally would do.
Imagine if you will, if all of a sudden, the PLC starts trying to communicate with all the other PLCs, something that it has never done before. Is this normal? How would you know? When you have vulnerable ICS assets, it is imperative that you know what each asset is and you monitor their behavior for deviations, as this can be the indicator of a compromise.
How to Secure Siemens PLCs
As I said, having a vulnerable asset in ICS is common, and if you have visibility into all your assets, risks, vulnerabilities, and communications, then you will know if they are performing the tasks they are assigned as expected.
Industrial operators using the Siemens S7-1500 Series must take precautions to safeguard against critical PLC vulnerabilities.
Armis is a secure, cloud-based security platform that discovers and identifies all connected devices on your network and in your airspace. You will not only identify each device, but also know whether any device has vulnerabilities that you should know about, like these critical PLC vulnerabilities in the Siemens SIMATIC S7-1500 Series controllers. You will have:
- A real-time inventory of all devices
- Risk assessments across twelve different attributes
- A view of unauthorized network connections (policy violations)
- Visibility into both critical and non-critical cyber assets, including BES Cyber Assets, Electronic Access Control or Monitoring Systems (EACMS), and Physical Access Control Systems (PACS)
See all assets in your IT environment. Get an ICS risk assessment now.
Safeguard Against PLC Vulnerability with Armis
The Armis platform is cloud-based, which makes it easy and quick to deploy. There are no agents, no hardware sensors to install. Armis requires no changes to your existing infrastructure. The Armis threat detection engine includes built-in expert knowledge, so your staff doesn’t need to become experts in IoT security.
Although the Armis platform is cloud-based, it has been designed to meet the highest security standards, including NIST SP 800-53, ISO 27001, SOC 2 Type II, and Privacy Shield. The Armis platform has passed the security tests of many Fortune 100 enterprises as well as government agencies.
For more information, visit: