Programmable logic controllers (PLCs) aren’t the first device class that leaps to mind when considering popular attack vectors. According to SecurityWeek, however, two new flaws have been discovered in the popular Siemens S7-1500 CPU line of PLCs — one of which earns a high-severity CVSS v3 risk score of 7.5.
Siemens has already taken steps to remedy the issues, but with the Internet of Things (IoT) quickly becoming a high-value target, it’s worth taking a hard look at these new logical gaps.
As noted by the SecurityWeek piece, French security firms Lexfo and Amossys reported the two Siemens flaws — CVE-2016-2200 and CVE-2016-2201 — to the country’s National Agency for Computer Security (ANSSI). They did so after discovering the issues affected all firmware prior to 1.8.3, which fixes the problems. Both exploits required attackers to gain network access; Siemens itself recommended operating the S7-1500 line on trusted networks in any case.
Of the two, CVE-2016-2201 poses the less serious threat: The flaw makes it possible for attackers to reduce the efficiency of a feature designed to guard against relay attacks. Combined with sophisticated relay attacks, this flaw could be devastating, but it is clearly the exception rather than the rule — good to know but hardly an immediate threat.
CVE-2016-2200, meanwhile, is a different animal. By sending specific data packets to port 102/TCP, it’s possible to cause a full device STOP that can only be corrected with a manual RUN command. The result? Potentially devastating denial of service (DoS).
These aren’t the first security flaws for Siemens devices this year. In January, the company released firmware updates for its line of building automation products to combat a cross-site scripting (XSS) vulnerability.
So what’s the logical conclusion here? Does Siemens simply make a product that can’t hack it in on the industrial IoT market? Hardly. As noted by The Enterprisers Project, the issue is endemic of IoT itself, a fundamental flaw built into the notion of an always-connected network.
Here’s the issue: Many devices now connected to both corporate networks and the Internet at large were never designed to fulfil this function. Instead, they were purpose-built to complete a specific task that didn’t require any type of Internet-facing safeguards.
As a result, industrial control systems (ICS), supervisory control and data acquisition (SCADA) devices and PLCs typically have minimal defences — if any — against determined attackers. That problem is rapidly widening in scope as more Internet-facing devices are deployed and residential users begin adopting similar technology, creating a massive attack surface for cybercriminals.
In fact, residential devices may form the foundation of new attacks on large-scale energy grids. As reported by Wired, a team of researchers discovered it’s possible to hack remote shutoff devices on residential and commercial air conditioners — used to conserve energy during peak periods — and instead turn them on full blast, creating demand that’s impossible for energy producers to meet. That could overload grids and send an entire city into darkness.
Bottom line? There’s a logic to the new attacks on IoT devices: They’re simply not ready to handle advanced threats. Companies like Siemens are doing their best to patch in effective countermeasures after the fact, but changing this paradigm requires more than new firmware. Native IoT security must replace ad hoc defence for companies to completely plug high-severity gaps and bring connected devices up to par with evolving security standards.