Researchers Disclose Vulnerability in Siemens' ICS SoftwarePatch Issued in Light of Concerns Over Stuxnet-Like Attack Against Industrial Systems
Security researchers have uncovered a new vulnerability in a Siemens software platform that helps maintain industrial control systems for large critical infrastructure facilities, such as nuclear power plants. If exploited, an attacker could gain access to these systems for espionage or cause widespread physical damage, researchers at the security firm Tenable warned in a blog published Tuesday.
The vulnerability is in the same Siemens software platform used by the originators of Stuxnet to help spread that malware against Iran's nuclear facilities nearly a decade ago.
Earlier this month, Siemens issued a patch for the vulnerability, dubbed CVE-2019-10915. Joe Bingham, a senior research engineer with Tenable, tells Information Security Media Group that the vulnerability apparently has not been exploited in the wild.
Tenable and Siemens are urging organizations that use this software for industrial control systems to apply the patch as soon as possible.
"We have released an update to TIA Administrator, which fixes a vulnerability reported by the security company Tenable," a Siemens spokesperson says. "We have released a Siemens Security Advisory with remediation information. Siemens recommends to follow and implement the defense-in-depth approach for plant operations and to configure the environment according to Siemens’ operational guidelines for Industrial Security."
The vulnerability affects the Siemens' STEP 7 TIA Portal, widely used design and automation software for industrial control systems, according to Tuesday's blog.
While it would take a good deal of technical skill and know-how to actual exploit this vulnerability, Bingham says that once inside an industrial network, an attacker could jump from system to system and cause extensive damage.
"This vulnerability could be used for cyber espionage, mapping the network, disruption and exfiltrating data," Bingham says. "The flaw not only offers another foothold, but the TIA Portal provides control and automation in production environments, so an attacker would also be able to easily modify [operation technology] system code and logic."
Industrial Control System Woes
Over the last several years, security researchers have begun to focus more on vulnerabilities in operational technologies, such as industrial control systems and supervisory control and data acquisition systems, which assist in maintaining, controlling and securing large-scale facilities, including those used in the transportation, industrial, medical, manufacturing and energy sectors.
Researchers have noticed an uptick by nation-state threat actors attempting to exploit vulnerable systems as part of espionage or disruption campaigns. These types of operations are technically sophisticated and time-consuming, they note.
In 2017, an undisclosed oil and gas firm in Saudi Arabia was hit by malware referred to as either Trisis or Triton, according to security researchers. The malicious code targeted the facility's Triconex Safety Instrumented System controllers, developed by Schneider Electric, which are designed as a safety control for the critical machinery within industrial facilities. Interference with these controllers could cause massive damage to a plant or trigger a complete shutdown, researchers say.
A recent report by security firm Drago tied the malware used against this oil and gas company to a previously unknown group called Xenotime (see: Xenotime Group Sets Sights on Electrical Power Plants).
A Stepping Stone?
If exploited by an attacker, the Siemens portal vulnerability could be used as a stepping stone in a tailored attack against the entire critical infrastructure of a facility, according to Tenable's research.
By exploiting CVE-2019-10915, a remote attacker could bypass HTTP authentication and access all administrator functionality by directly sending WebSocket commands to a server, Tenable says. Once inside the network, the attacker could perform administrative actions within a vulnerable systems, including adding malicious code to adjacent industrial control systems within the facility, Tenable determined.
An attacker could also exploit the vulnerability to harvest data in order to plan other targeted attacks, the Tenable researchers note.
Conventional ways of protecting industrial control systems, such as air-gapped segmented networks or firewalls, might not stop someone from exploiting the vulnerability, Bingham says.
What makes this vulnerability somewhat unusual, Bingham notes, is that it was found in a modern software platform that is patched regularly by Siemens. Many vulnerabilities exploited by attackers are in older, outdated systems that are no longer maintained or haven't been patched in years, he points out.
"The vulnerability isn't specifically found in legacy code; the software is marketed for modern operations and is regularly patched and maintained," Bingham says. "That said, ICS is often riddled with vulnerabilities, which makes it even more critical for ICS vendors to be prompt and proactive when it comes to patching flaws."
Specter of Stuxnet
One of the first, large-scale attacks against industrial systems happened nearly 10 years ago, when the Struxnet malware hit Iran's nuclear facilities, crippling many systems there, including centrifuges.
Security researchers believe that Stuxnet, along with another malicious tool called Duqu, required massive effort and expense to develop. And although it has never been definitively proven, Israel, with possible help from the U.S., is suspected of creating these two cyber weapons to stop Iran's aspirations to become a nuclear arms power (see: Experts Shed New Light on Stuxnet Kin).
In the case of the Stuxnet attack, the malware targeted vulnerable Windows devices first, before jumping to the Siemens' STEP 7 TIA Portal software, where it could then interfere with the centrifuges.
"This [newly discovered] vulnerability is related to Stuxnet because it impacts the same family of Siemens devices," Bingham says.