In 2009, the computer worm Stuxnet crippled hundreds of centrifuges inside Iran’s Natanz uranium enrichment plant by targeting the software running on the facility’s industrial computers, known as programmable logic controllers. The exploited PLCs were made by the automation giant Siemens and were all models from the company’s ubiquitous, long-running SIMATIC S7 product series. Now, more than a decade later, Siemens disclosed today that a vulnerability in its S7-1500 series could be exploited by an attacker to silently install malicious firmware on the devices and take full control of them.
The vulnerability was discovered by researchers at the embedded device security firm Red Balloon Security after they spent more than a year developing a methodology to evaluate the S7-1500’s firmware, which Siemens has encrypted for added protection since 2013. Firmware is the low-level code that coordinates hardware and software on a computer. The vulnerability stems from a basic error in how the cryptography is implemented, but Siemens can’t fix it through a software patch because the scheme is physically burned onto a dedicated ATECC CryptoAuthentication chip. As a result, Siemens says it has no fix planned for any of the 122 S7-1500 PLC models that the company lists as being vulnerable.
Siemens says that because the vulnerability requires physical access to exploit on its own, customers should mitigate the threat by assessing “the risk of physical access to the device in the target deployment” and implementing “measures to make sure that only trusted personnel have access to the physical hardware.” The researchers point out, though, that the vulnerability could potentially be chained with other remote access vulnerabilities on the same network as the vulnerable S7-1500 PLCs to deliver the malicious firmware without in-person contact. The Stuxnet attackers famously used tainted USB thumb drives as a creative vector to introduce their malware into “air-gapped” networks and ultimately infect then-current S7-300 and 400 series PLCs.
“Seimans PLCs are used in very important industrial capacities around the world, many of which are potentially very attractive targets of attacks, as with Stuxnet and the nuclear centrifuges,” says Grant Skipper, a Red Balloon Security research scientist.
The ubiquity and criticality of S7-1500 PLCs are the two traits that motivated the researchers to do a deep dive into the security of the devices. To a motivated and well-resourced attacker, any flaws could be worth exploiting.