Security information about internal diagnostic functions in S7-300 PLCs
Recent external research has disclosed the existence of an access method to internal diagnostic functions in the S7-300 PLCs. As a result of the continuous test and improvement of S7 PLCs (including security related functions), Siemens had previously identified this method of access to the functions. The undocumented functions were accessible over the integrated PLC network interface. The researcher's disclosure has resulted in recent alert from ICS-CERT "Siemens S7-300/S7-400 Hardcoded Credentials" (July 23, 2011).
Analysis results and recommendations concerning the ICS CERT alert
- The reported access method for these functions only exists in older versions of S7-300 PLCs.
- Not affected
- S7-400 PLCs
- S7-300 PLCs without integrated Profinet interface
- S7-300 PLCs with integrated Profinet interface shipped after October 2009 (or IM after 08/2010).
- The (internal) diagnostic interface has been removed
- CPU314C-2PN/DP since V3.3 01/2010 (first release)
- CPU315(incl. F)-2PN/DP since V3.1 10/2009
- CPU317(incl. F)-2PN/DP since V3.1 10/2009
- CPU319(incl. F)-3PN/DP since V2.8 06/2009
- IM151-8(incl. F)-PN/DP since V3.2 08/2010
- IM154-8 PN/DP since V3.2 08/2010
- Details to affected S7-300 PLCs
Older S7-300 PLC with integrated Profinet interface allowed access to internal diagnostic functions. This affects S7-300 Profinet PLCs shipped before October 2009 and IM15x Profinet PLCs shipped before September 2010. We recommend that PLC customers reconfirm that the basic security and defense-in-depth measures are implemented to prevent unauthorized network access. For details see www.siemens.com/industrialsecurity.
- Siemens S7-300 and S7-400 PLCs are used in a wide variety of industrial applications worldwide.
- The potential threat scenarios would require network access to plant controllers.
- When properly applied, Siemens automation products provide a high degree of resilience and security while delivering the flexibility and functionality required. This is realized by implementing a defense-in-depth-strategy including secure production islands. Consult the Operational Guidelines for Industrial Security for further details and security services available from Siemens.
- You have a technical question / problem: Ask the Technical Support
- You want to discuss in our forum and exchange experiences with other users
- You want to create CAx data for one or more products
- You would like to send us feedback on this Entry