Information regarding the Behaviour of SIMATIC S7-1200 in Industrial Networks
Due to the increased use of Ethernet connections at the field level associated security concerns are becoming more prevalent. Open communication and increased networking of production systems involve not only opportunities, but also risks.
In mid-May, ICS-CERT issued an ICS-CERT alert to a limited audience of vetted control system owners and operators via the US-CERT secure Portal. The alert identified certain weaknesses in the Ethernet network interface of the SIMATIC S7-1200 controller. Several press reports followed. Siemens takes these issues very seriously and our experts are working on possible improvements.
Siemens reproduced the test scenarios and this revealed weaknesses in the S7-1200 controller. Certain conditions of these network attacks have led to a stop of the control program with the S7-1200 placed into a stop/defect state. In automation applications this is a state which causes a defined shut-down of the automation application (e.g. a machine) comparable to a power failure.
Systems engineers always have to consider which security mechanisms in open communications apply to which network hierarchy level. Many security mechanisms apply only on machine, cell or production line level because of real-time requirements. Usually this is achieved using secure network switches or gateways with firewall functions. Siemens offers all users and plant operators extensive support for these tasks.
Position of Industrial Controllers in Plant Security
In automated manufacturing plants and infrastructure projects, industrial security can be categorized in three levels:
1. Plant Security: Access control for people to plants/areas of plants
2. Plant IT Security: Protection of IT systems on networks
3. Access Control: Access control for plant and configuration data
Plant security starts with protection from unauthorized entrance of plant sites and operational areas. It continues with firewall protection for enterprise networks, in addition to other measures that guard the IT and production infrastructure. Operating an industrial controller on an unprotected network can be compared to operating a PC without a firewall on the internet.
SIMATIC industrial controllers offer functions to ensure network security for mechanical engineers and plant operators in level three (Access Control). This security includes, for example, password protection to prevent unplanned changes of control programs by unauthorized users.
To reproduce the above ICS-CERT scenarios, a person must be able to bypass the first two levels of protection that are already in place. In other words, a person must already be on-site in the plant or have unrestricted access to the production network.
Identified System Behaviour of the Scenarios
First, it is possible to record the communication between the engineering software and the S7-1200 controller using special network tools and later import this communication into the network interface of the controller. The engineering software operator’s actions can be repeated (e.g. setting the controller into STOP mode) – however only on the same controller. It is impossible to replay the actions on any other controller in the same plant or anywhere else. An authentication mechanism prevents this from happening.
Second, a network scanner can cause overload conditions on the communication interface of the S7-1200 which leads to a CPU stoppage. This behavior can be avoided by switching off the integrated web server within the S7-1200.
The improvements for this system behavior will be addressed with the next firmware update.
Siemens Industrial Controllers
Siemens industrial controllers assure a high level of security and robustness. Network security is in many industrial applications a matter of system design of the production area of the plant, as stated above.
Siemens experts cooperated closely with the CERT and various user communities to constantly improve the industrial controller products. We are grateful for all hints that help us to fix possible weaknesses in our products and promise to react in the shortest possible time with appropriate software updates for our customers.
A firmware update for S7 1200 is now available on our customer support page. This update improves the security and robustness of the S7 1200 product family.
FAQ: Behavior of SIMATIC S7-1200 in industrial networks
What are we talking about here?
Mid-May 2011 there was a report from ICS-CERT on certain vulnerabilities in the Ethernet network interface of the Simatic S7-1200 controller. Siemens has simulated the reported scenarios, revealing weak points in the S7-1200 controller when responding to targeted attacks on the network. Siemens takes this kind of information very seriously and our control experts are constantly working on ways to make improvements.
What is a replay attack on a controller?
In a replay attack, communication between the engineering software and the controller is recorded by special network protocol analyzers and transmitted back to the controller at a later date. This would, in theory, make it possible to carry out the same actions again (e.g. set controller to STOP) which were performed beforehand by the engineering software.
This kind of replay attack can only be successful if access to the controller is not protected. The access protection system of the controller prevents such operations in exactly the same way as would happen if unauthorized access was attempted via the engineering software. This is why we always recommend activating the controllers' access protection system.
Owing to a error in the current CPU firmware of the S7-1200, a replay attack is possible for a limited period.
The corrections contained in the next firmware update will ensure that it will no longer be possible to copy recordings to the same controller.
Do these two S7-1200 vulnerabilities constitute security gaps?
The replay scenario does not represent any gap in security as such, because a replay attack depends on the same access rights to the network as when working on the engineering software itself.
Secure operation of a controller in an industrial application depends on having an access-protected network in place.
Special communication with a network scanner might mean that the controller reverts to the STOP or defective state. In this event the process being controlled is disrupted, but the controller reverts to a secure operating state in these circumstances as well, ensuring continued plant safety.
One immediate way of countering the denial-of-service effect is to turn off the CPU web server or, alternatively, to block web server communication by means of an external firewall solution.
For more information on industrial network security, please go to www.siemens.com/industrialsecurity
When is Siemens planning to take corrective action and what do I have to do as a S7-1200 user ?
The latest firmware update for the S7-1200 will offer corrective action for enhancing protection against replay attacks as well as increased stability when facing the above-mentioned denial-of-service scenario. The firmware update will be available in June.
S7-1200 users will find the firmware update and downloading instructions in the update section of the Simatic Online Support on the internet.
Do these problems also affect other families of controllers like S7-300 and S7-400?
The S7-300 and S7-400 controllers are not affected by the denial-of-service scenario, so there is no need for any firmware update with these controllers in this regard.
For further information regarding the behavior of SIMATIC S7 CPU in Industrial Networks please refer also to (51401544)
The external protection measures recommended as general protection against unauthorized access (protection levels) apply in the same way to the S7-300 / S7-400 controllers.
You can find more information on industrial network security at www.siemens.com/industrialsecurity