Industries and utilities using some of Siemens’ programmable logic controllers (PLCs) are being urged to update to the latest firmware after the discovery of a serious vulnerability exposing the units’ hard-coded global private cryptographic key designed to protect devices from being hacked.
The call to take action on the SIMATIC S7-1200, S7-1500 CPUs and the related TIA Portal products comes after researchers at Claroty found they could extract the heavily guarded and hardcoded key, allowing them to bypassing all four of the processors’ access level protections. The key is used for the legacy protection of confidential configuration data and the legacy PG/PC and HMI communications,
“A malicious actor could use this secret information to compromise the entire SIMATIC S7-1200/1500 product line in an irreparable way,” the researchers concluded.
In its advisory Siemens admitted the protection of the keys “cannot be considered sufficient any longer.”
Siemens recommends updating both the affected products as well as the corresponding TIA Portal project to the latest versions. TIA Portal V17 and related CPU firmware versions introduced protection of confidential configuration data based on individual passwords per device and TLS-protected PG/PC and HMI communication, the company said.
Claroty said the introduction of the new TLS management system in TIA Portal v17, ensures that configuration data and communications between Siemens PLCs and engineering workstations is encrypted and confidential.
The vulnerability has been given the number CVE-2022-38465, with a Common Vulnerability Scoring System (CVSS) score of 9.3.
The vulnerability of hard-coded keys has been known for some time. However, in its report Claroty notes that 10 years ago, when the TIA Portal v12 and SIMATIC S7-1200/1500 PLC CPU firmware families were introduced, hardcoded keys had to be used for security. Dynamic key management and distribution did not exist then for industrial control systems, largely because of the operational burden that key management systems would put on integrators and users. Siemens decided at the time instead to rely on fixed cryptographic keys to secure programming and communications between its PLCs and the TIA portal. However, with advances in technology, fixed keys aren’t safe any more.
Claroty researchers used a vulnerability uncovered in previous research (CVE-2020-15782) to bypass native memory protections on the PLC and gain read and write privileges in order to remotely execute code. As a result they were able to extract the internal, heavily guarded private key used across the Siemens product lines. An attacker with knowledge of the PLC’s private key and encryption algorithm could to retrieve the configured password on the PLC. With that they could encrypt and decrypt protected communications and configurations.
Siemens describes the S7-1200 as a modular controller for simple but highly precise automation tasks. For example, a company in the Czech Republic uses an S7-1200 system to control the water, temperature and lighting in hydroponic farms it builds in shipping containers.
It describes the S7-1500 controller family as a system for all aspects of production automation and applications for medium-sized and high-end machines. One customer is a Danish firm that built a solar-powered robot that can sow and weed crops. The centralizing controller is a S7-1500, which collects, checks and stores data from the robot. It communicates with an S7-1200 in the robot through a VPN tunnel based on Ethernet.