Industrial Threat

Landscape Report
April 2018
Protecting your Productivity

www.siemens.com/industrial-security-services
Contents
Meltdown and Spectre .............................................. 4
TRITON/TRISIS ........................................................... 7
News from Industrial Security Services .................... 10
German IT Security Law Comes Into Effect ............. 13
Siemens Security Advisories.................................... 15
Research News ....................................................... 18
Critical Vulnerabilities ............................................. 21

Page 2
Dear Reader,
we are proud to release the second volume of our Industrial Threat Landscape report from
Siemens. In the last six months we have seen many activities in industrial security and have
recognized a growing awareness and commitment to action from Siemens as well as
others.
Our Siemens CEO Joe Kaeser announced in November 2017 that Siemens and the Munich
Security Conference (MSC) will join governmental and business partners, to start a Charter
of Trust. The signatories now include Siemens, MSC, the IT giant IBM, the automaker
Daimler, the insurance company Allianz, the aircraft manufacturer Airbus, the world's
leading inspection, verification, testing and certification company SGS, the telecommuni-
cations company Deutsche Telekom, the semiconductor producer NXP, the energy
companies Enel and AES Corporation and the IT giant Atos.
The Charter contains ten principles that should make the digital world more secure and
also sets three important goals: Protect the data of individuals and companies; prevent
damage to people, companies, and infrastructures; and create a reliable foundation for
instilling trust in a networked, digital world.
The second principle addresses the responsibility throughout the digital supply chain.
It states that companies must offer updates, upgrades and patches throughout
a reasonable lifecycle for their products, systems and services via a secure update
Dr. Henning Rudolf
mechanism. Head of Industrial Security Services
Discrete and Process Industries
Talking to our customers we realized that offering these updates is crucial, yet by far not
enough. Owners and operators of automation equipment today are overwhelmed by all
the information they are exposed to on different vendors’ websites about vulnerabilities.
Customers ask:
 How can I stay on top of all these announcements?
 How do I know which of these are relevant to me?
 How can I track and organize the closing of vulnerabilities
in my products and infrastructure?
We as Siemens have been exposed to these challenges ourselves for years and developed
in our leading CERT teams a database monitoring more than 30.000 components and even
more vulnerabilities. This database includes Siemens products as well as products used
in Siemens infrastructure. The concept includes the ability to add specific components,
given that their vendors report on detected vulnerabilities.
Based on the idea that “we use what we sell”, Siemens is proud to offer you what has been
working for us for years. This service is brought to you via a MindApp based on MindSphere
the cloud-based, open IoT operating system from Siemens.
In this edition we share with you latest updates on vulnerabilities and news from leading
cybersecurity conferences. We thank you for the feedback that helps us to continuously
improve and adapt our content to your needs.
With best regards,
Dr. Henning Rudolf
Head of Industrial Security Services
Discrete and Process Industries

Page 3
Meltdown and Spectre
Security vulnerabilities at the heart of CPU hardware
Background Siemens Assessment
In the beginning of January 2018 researchers and Response
published their research [1] on security
Vendors of affected processors, operating
vulnerabilities at the core of modern CPUs.
systems and other software, e.g. Internet
The vulnerabilities (CVE-2017-5715 [2], CVE-
Browsers, are either working on updates
2017-5753 [3], and CVE-2017-5754 [4])
which help mitigate Meltdown and Spectre
were dubbed Meltdown and Spectre and
or have already released such updates.
affect a number of microprocessors from
vendors such as Intel [5], AMD [6] and ARM To support Siemens customers in maintain-
[7]. By exploiting either Meltdown or ing their risk exposure, Siemens has
Spectre, programs can read data from published a Security Bulletin [8] that reflects
memory areas they are typically not the current state of analysis and provides
permitted to read data from. The leaked data recommendations for operators of Siemens
might include passwords, emails, business- products. Furthermore, Siemens has
critical documents, or data from kernel published Security Advisory SSA-168644 [9]
memory areas. A prerequisite for exploiting which lists affected Industrial Products and
Meltdown or Spectre is that an attacker must provides specific mitigations.
be able to run code on the affected system.
As a general guidance, Siemens recommends
In cloud environments exploitation could be
that customers evaluate the following:
across guest VMs, guest to hypervisor and
vice versa.  Determine if vendors of the processors,
operating systems and other software
Meltdown used on the computer systems have
released mitigations for these
Meltdown is a security vulnerability in the
vulnerabilities.
out-of-order execution of many modern
 As a pre-requisite for an attack, an
processors and could affect Desktop and
attacker must be able to run untrusted
Cloud computers as well as embedded
code on affected systems. Therefore,
devices. Until now only Intel processors,
Siemens recommends determining if it is
some ARM processors and IBM Power
possible that untrusted code can be run
processors are known to be affected by
on these systems, or if existing measures
Meltdown. Out-of-order execution allows
implemented by the operator reduce the
processors to execute instructions in advance
likelihood of untrusted code being run.
of their order. This could allow a privileged
 Applying a Defense-in-Depth concept [10]
command to be executed with the results
can help to reduce the probability that
stored inside the L1 cache before the
untrusted code is run on the system.
permissions to execute the command are
Siemens recommends to apply the
checked. When the exception is raised for the
Defense-in-Depth concept. Contact
insufficient permissions, the privileged
Siemens Industrial Security Services for
command execution is rolled back, but via a
more information on how Defense in
side-channel attack, data from the uncleared
Depth applies to your systems:
L1 cache can be stolen.
[email protected].
 Consult Siemens’ product support
Spectre documentation, or contact Siemens’
Spectre describes security vulnerabilities customer service to determine if
in the branch prediction of many modern information on the compatibility of the
processors and could affect Smartphones, updates provided by the vendors is
Desktop and Cloud computers as well as available before applying the updates.
embedded devices. From a high level
Siemens Corporate Technology (Siemens
perspective, the speculative execution
CERT & Siemens ProductCERT) is continuously
resulting from branch prediction executes
monitoring the threat landscape via
code from the likely taken branch but
a number of different threat intelligence
continues to work with the results of the
sources to be immediately alerted about any
execution only after the branch condition
cyberattacks that leverage the Meltdown
was met. The results are discarded if the
or Spectre vulnerabilities. At the current state
wrong branch was predicted, but results may
of knowledge, malware samples have been
still reside in processor cache and could be
stolen via a side-channel attack.

Page 5
identified that are in the testing phase but no
exploitation in the wild is known.
Outlook
Spectre and Meltdown are security
vulnerabilities that are at the very core of any
modern computer and affect a huge number
of users. Fixing required a lot of effort among
many parties: chipset vendors, OEMs,
operating system vendors, etc. and can
decrease microprocessor performance up to
30 percent. Siemens industrial products’
performance could also be impacted by up to
20 percent, depending on the processor
generation, the complexity of the user
program, the number of HMI images, and the
operating system. This exemplifies the
tremendous impact hardware vulnerabilities
might have and what one has to expect if
another vulnerability of this category is
identified.
In the past months, a number of reports have
been published on security issues which
affect chipsets, such as CVE-2017-15361
[11], CVE-2017-5689 [12] or default
passwords [13]. Extrapolating the
development to the future, one may expect
that researchers will continue to look into
chipsets as well as their remote management
functionality and find additional security
vulnerabilities. Even though finding security
vulnerabilities and receiving a fix for those
is a good thing, operators may consider
reserving resources for mitigating such
vulnerabilities in their planning.
References
[1] https://spectreattack.com/,
https://meltdownattack.com/
[2] http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2017-5715
[3] http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2017-5753
[4] http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2017-5754
[5]https://security-
center.intel.com/advisory.aspx?intelid=INTEL-
SA-00088&languageid=en-fr
[6]
https://developer.arm.com/support/security-
update
[7]
https://www.amd.com/en/corporate/speculati
ve-execution
[8] https://cert-
portal.siemens.com/productcert/pdf/ssb-
068644.pdf
[9] https://cert-
portal.siemens.com/productcert/pdf/ssa-
168644.pdf
[10]
https://www.siemens.com/cert/operational-
guidelines-industrial-security
[11] https://acmccs.github.io/papers/p1631-
nemecA.pdf
[12] https://security-
center.intel.com/advisory.aspx?intelid=INTEL-
SA-00075&languageid=en-fr
[13] https://press.f-
secure.com/2018/01/12/intel-amt-security-
issue-lets-attackers-bypass-login-credentials-
in-corporate-laptops/
Page 6
TRITON/TRISIS
Background a dangerous evolution within ICS computer
network attacks [1]. Potential impacts
In mid-November 2017, a highly targeted
include equipment damage, system
malware surfaced, reported as TRISIS or
downtime, and potentially loss of life. This
TRITON by various security firms and news
incident also shows that preventive security
outlets [1, 2, 3]. It targeted Schneider
controls such as traditional demilitarized
Electric’s Triconex safety instrumented
zones, heavy network segregation and
system (SIS) deployed at a critical
multiple firewalls are not always sufficient
infrastructure facility in the Middle East.
to protect essentially defenseless machines
TRITON could prevent safety mechanisms
that make up ICS networks [5]. Hence, the
from executing their intended function,
industry has to take a step back and reassess
resulting in a physical consequence. There
the efforts put into detecting and correcting
has been no concrete evidence to attribute
security controls.
TRITON to a threat actor or to what was the
attacker intent. Schneider released a security TRITON/TRISIS –
bulletin [4], with their research, detection
and mitigation. In Search of its Twin [2]
If we consider the normal architecture of an
Incident Summary [3] Industrial Control System (ICS), a Distributed
Control System (DCS) offers far more attack
The attacker gained remote access to a SIS
options to accomplish a controlled shutdown
engineering workstation and deployed the
of a process. This would hint towards the
TRITON attack framework to reprogram the
idea that the "power over the safety
SIS controllers. During the incident, some SIS
controller" was likely to be used to deny
controllers entered a “fail-safe” state, which
a safe shutdown. Due to that, researchers
automatically shut down the industrial
from SANS [2] raise the question: Where is
process and prompted the asset owner to
Triton/TRISIS' DCS-focused twin? With this
initiate an investigation. The investigation
question their article speculates whether the
found that the SIS controllers initiated a safe
Triton/TRISIS malware has a not yet identified
shutdown when application code between
counterpart designed to attack the DCS.
redundant processing units failed a validation
Furthermore, according to SANS it could be
check.
possible that the targeted facility was merely
a test and development environment for
Deeper-look into TRITON/TRISIS Triton/TRISIS.
TRITON/TRISIS is a compiled Python script
The ICS community should be on watch for a
using the publicly-available ‘py2exe’
sister capability that takes control of a DCS to
compiler. This allows TRISIS to execute in an
drive a process into unsafe conditions. The
environment without Python installed
combination of Triton/TRISIS and Capability-X
natively [1]. Once the malware was on the
would allow an attacker to drive a process
controller, it injected the RAT (Remote Access
into a hazardous state and achieve effects
Trojan) into memory by exploiting a zero-day
that range from equipment damage to
vulnerability in the firmware, and escalating
release of materials/chemicals used in the
its privileges [4]. TRITON implements the
process.
TriStation protocol, which is the protocol
used by the legitimate TriStation application, Security experts believe that the opportunity
to configure controllers. This strengthens the (found access to a Schneider Electric
idea that the attacker had extensive Triconex) was motivation enough to invest
resources, time and money, as TriStation the resources and time necessary to develop
is a propriety algorithm and would require a one-off capability for process disruption.
reverse engineering efforts to understand Access to the Triconex at the facility would
and implement it. indicate that the attacker could develop
greater access to the DCS and other systems.
Implications
TRISIS represents, in several ways, “game-
changing” impact for the defense of ICS
networks. While previously identified in
theoretical attack scenarios, targeting SIS
equipment specifically represents

Page 8
Conclusion
TRISIS/TRICON deployment requires that an
attacker has acquired access to the ICS
network. But we need to look at how the
infection reached a network where there
should be no external access. It’s time to
rethink our policies regarding how to manage
devices used in ICS environments.
Additionally, the capability, methodology,
and tradecraft used in this very specific event
may now be replicated by other adversaries
and thus represents an addition to industrial
asset owner and operators’ threat models.
TRISIS is highly targeted and likely does not
pose an immediate threat but this could very
well be weaponized by the attackers.
Finally, there has been a lot of speculation
regarding the real attacker intent. This leads
to questions such as could there be a DCS
counterpart that is the target of a future
attack? Could TRITON be used to switch off
the safety system hence preventing safe
shutdown in case of such an attack? This
would have unimaginable destructive
consequences. Hence, looking at enhancing
security for safety systems, such as isolating
communication interfaces into separate
zones, should be the way forward for the ICS
community.
References
[1] Dragos report (Meat of the report)
https://dragos.com/blog/trisis/TRISIS-01.pdf
[2] SANS extra angle
https://ics.sans.org/blog/2018/01/29/tritontris
is-in-search-of-its-twin
[3] FireEye
https://www.fireeye.com/blog/threat-
research/2017/12/attackers-deploy-new-ics-
attack-framework-triton.html
[4] https://www.schneider-
electric.com/en/download/document/SEVD-
2017-347-01/
[5] https://www.darktrace.com/blog/the-
implications-of-triton-for-the-future-of-ics-
security/
[6]
http://securityaffairs.co/wordpress/66733/mal
ware/triton-malware.html
[7]
https://www.darkreading.com/vulnerabilities-
--threats/schneider-electric-triton-trisis-
attack-used-0-day-flaw-in-its-safety-
controller-system-and-a-rat/d/d-id/1330845
[8]https://www.reuters.com/article/us-cyber-
infrastructure-attack/hackers-halt-plant-
operations-in-watershed-cyber-attack-
idUSKBN1E8271
Page 9
News from
Industrial Security Services
Industrial Security Services –
Protecting Productivity
www.siemens.com/industrial-security-
services
Your productivity and safety depend on the
availability of your automation equipment.
Do not allow a security event to affect your
operations. Production processes are
sensitive and vulnerable to shut down
from intentional or accidental changes
in configuration. This means they require
a very high level of protection. Industrial
Security Services detect threats and security
gaps in real time, analyze weaknesses, and
immediately initiate countermeasures. The
offerings include comprehensive consulting
(Assess Security), technical implementation
(Implement Security), and monitoring of the
security status as well as continuous updates
to the measures implemented in accordance
with the constantly changing threats
(Manage Security). Below are highlights
of recent expansions to our portfolio
of services.
Industrial Security Assessment
Siemens has a complete portfolio of risk
assessments available to analyze the security
status of your production environment.
The Assess portfolio items address a range
of needs from a quick check-up, to a
thorough analysis, or a deep risk and
vulnerability assessment - including data
collection from the shop floor.
The Industrial Security Assessment is
designed to address customers that want
a quick first overview about the current
security status of their sites without a deep
time investment. The process consists of
a one-day on-site analysis coordinated by
a security consultant to identify and classify
your security gaps, providing you a compact
report containing recommendations for risk
mitigation measures.
An approach built on Siemens expert
knowledge in automation systems and
aligned to the best known international
security standards - IEC 62443, ISO 27001.
This assessment was developed using the
experience gained through implementing
security programs at many types of industrial
facilities around the world. It is available for
both Siemens and third-party systems.
Page 11

Automation Firewall – NG
With Automation Firewall – NG the next level
of protection is available for your production
networks. Approved for use with Siemens
PCS7 systems and based on the leading edge
Palo Alto Networks Next-Generation Firewall
Appliances – Gartner Magic Quadrant
Firewall leader for 6 years in a row!
Automation Firewall – NG brings deep packet
inspection and machine learning into your
industrial networks providing protection
against both known and unknown threats.
The High-Availability (HA) deployment is also
supported to prevent a single point of failure
on your network. Setting up two firewalls in
an HA pair provides redundancy and allows
you to ensure secure production availability.
Security Vulnerability
Information
Every day, new security vulnerabilities are
reported. Currently manufacturers and
operators of automation technology employ
a multitude of different software
components and struggle to identify if their
manufactured or used automation products
are affected.
To stay on top of the ever-changing threat
landscape, a system must be in place to keep
informed about vulnerability announcements
affecting your products and the associated
patches to correct them. To handle this
challenging task, Siemens brings you the
Security Vulnerability Information (SVI)
application. The SVI app is a cloud service
[email protected]
providing automatic generation of digital
Security Bulletins related to vulnerabilities
affecting your customized list of ICS
components.
The Security Bulletin contains information
such as the real-time status of the patches on
the users system, CVSS score and a link to the
vendor web-site. The security advisories
cover the vulnerabilities affecting 3 rd party
components, Open Source Software (OSS),
Commercial Off the Shelf Software (COTS),
hardware devices as well as Siemens
proprietary products. More than 30,000
components are currently in the database
and it is constantly growing.
Industrial Anomaly Detection
With the “Industrial Anomaly Detection”
offering, a new state of the art security tool
for shop floor environments is available from
Siemens. The process begins with an auto-
mated Asset Identification and Inventory
phase, followed by establishment of
the expected pattern (or baseline)
of communication within your industrial
networks. The tool then displays
a transparent overview of your monitored
systems and automatically identifies
abnormal events. This provides fast
identification of changes to your system that
may pose a security risk or impact availability.
The Industrial Anomaly Detection is based
on Siemens Microboxes (IPC 427E) with
corresponding preinstalled software. After an
initial commissioning the component can be
locally configured and administered
by WebGUI. It is a machine learning system,
so the detection rate will be enhanced
over time.
Contact Us!
To speak directly with the experts
of Siemens Industrial Security Services
email us at:
Page 12
German IT Security Law
Comes Into Effect
How it affects you
German IT Security Law
Comes Into Effect
In conjunction with the European Union’s
efforts to establish a common ground for
cyber security in Europe, the German
legislative bodies passed the BSI law in 2009.
In July 2015 the IT-Security bill
(IT-Sicherheitsgesetz) [1] introduced changes
to the BSI law (BSIG) that describe the duties
of both the BSI and operators of critical
infrastructures. Who the latter are and how
they are identified is not detailed in the bill,
but is detailed in subsequent ordinances.

The Ordinance Drives the

Timeline
The effective date of the duties to be
performed by operators of critical
infrastructures depends on the ordinance in
which the specific sector was included.
The 7 regulated sectors out of the 9 KRITIS
sectors have been split in two batches. The
first ordinance came into effect on May 3,
2016 and covered energy, water, food and
information technology. The update came
into effect on June 29, 2017 adding financial
services, healthcare and transport to the list
of sectors. The general rule of 500,000
affected citizens for an installation
to become a critical service is converted into
concrete metrics applicable to the different
sectors in said ordinance.
Duties of Critical Infrastructure
Operators
Entities operating an installation deemed
a critical infrastructure have to fulfil specific
requirements as mandated by the German
Cybersecurity Law:
 Establish a contact point available
at all times (6 months after ordinance)
 Receive notifications from the BSI
 Notify the BSI about
cyber security incidents
 Implement and audit sector specific
state-of-the-art cyber security level
(2 years after ordinance,
every 2 years thereafter)
Timeline for Implementation
Since December 29, 2017 the second batch
of sectors now must establish the contact
point within their organization. All operators
of critical infrastructures in Germany are now
on-boarded with the BSI’s notification
system.
The next upcoming deadline is May 3, 2018
when operators from the first batch need
to have implemented their state-of-the-art
security level. The first published sector-
specific security standard is for water and
wastewater industries. It has been cleared
by the BSI until June 2019 and details can
be found at [2] and [3]. More standards have
been submitted by syndicates and are
currently under review. The list is available
on the BSI web page [4].
References
[1]
https://www.bsi.bund.de/DE/Themen/Industri
e_KRITIS/IT-SiG/it_sig_node.html
[2]
https://www.dvgw.de/english-
pages/topics/safety-and-security/cyber-
security/
[3] https://en.dwa.de/en/
[4]
https://www.bsi.bund.de/DE/Themen/Industri
e_KRITIS/KRITIS/IT-
SiG/Was_tun/Stand_der_Technik/B3S_BAKs/B3
S_BAKs_node.html

Page 14
Siemens Security Advisories
Siemens ProductCERT
Siemens ProductCERT is the central team
for responding to potential security issues
related to Siemens products, solutions and
services and is therefore responsible for
publishing Siemens Security Advisories and
thus also the point of contact for all inquiries
regarding security issues within Siemens
products.
New Advisories
Within the last quarter, Siemens ProductCERT
has released fifteen Security Advisories
addressing vulnerabilities within Siemens
products. Below the security advisories for
Siemens Industrial product customers are
described.
A Siemens Security Advisory (SSA-168644)
as well as Siemens Security Bulletin (SSB-
068444) was released with information on
Meltdown and Spectre and recommendations
to customers.
SSA-592007 discusses a security vulnerability
that could allow an attacker to cause a
Denial-of-Service condition via PROFINET DCP
network packets.
The latest update for TIM 1531 IRC fixes
a security vulnerability that could allow
unauthorized remote attackers to perform
administrative operations on the device (SSA-
110922).
Several SIMATIC IPCs include a version
of Infineon’s Trusted Platform Module (TPM)
firmware that mishandles RSA key
generation. This makes it easier for attackers
to conduct cryptographic attacks against the
key material (SSA-470231).
SSA-348629 discusses a Denial-of-Service
vulnerability via RPC messages that has been
identified in SIMATIC PCS 7, SIMATIC WinCC,
SIMATIC WinCC Runtime Professional and
SIMATIC NET PC-Software.
Intel has identified vulnerabilities in Intel
Management Engine (ME), Intel Server
Platform Services (SPS), and Intel Trusted
Execution Engine (TXE). As several Siemens
Industrial PCs use Intel technology, they are
also affected (SSA-892715).
The latest update for TeleControl Server Basic
resolves three vulnerabilities. One of these
vulnerabilities could allow an authenticated
attacker with network access to escalate his
privileges and perform administrative actions
(SSA-651454).
SSA-284673 has been released as a follow-up
to the security advisory SSA-293562
to address the vulnerability that could allow
an attacker to cause a Denial-of-Service
condition via PROFINET DCP network packets
under certain circumstances for additional
industrial devices. PROFIBUS interfaces are
not affected.
The latest update for the Android app and
iOS app SIMATIC WinCC OA UI fix a security
vulnerability which could allow read and
write access from one HMI project cache
folder to other HMI project cache folders
within the app’s sandbox on the same mobile
device (SSA-822928).
Multiple SIMATIC WinCC Add-Ons released in
2015 and earlier include a vulnerable version
of Gemalto Sentinel LDK RTE. Gemalto
Sentinel LDK RTE is affected by a vulnerability
that could allow remote code execution.
Siemens recommends to update the affected
software component Gemalto Sentinel LDK
RTE (SSA-127490).
A list of recently released relevant advisories
and bulletins can be found here:
 SSA-727467: Vulnerabilities in Building
Technologies Products
(Last Update: 2018-03-28)
 SSA-110922: Web Vulnerability in TIM
1531 IRC (Last Update: 2018-03-27)
 SSA-592007: Denial-of-Service
Vulnerability in Industrial Products
(Last Update: 2018-03-27)
 SSA-348629: Denial-of-Service
Vulnerability in SIMATIC PCS 7, SIMATIC
WinCC, SIMATIC WinCC Runtime
Professional and SIMATIC NET PC
Software (Last Update: 2018-03-27)
 SSA-822928: Access Control Vulnerability
in SIMATIC WinCC OA UI Mobile App for
Android and iOS
(Last Update: 2018-03-20)
 SSA-168644: Spectre and Meltdown
Vulnerabilities in Industrial Products
(Last Update: 2018-03-20)
 SSA-824231: Unauthenticated Firmware
Upload Vulnerability in Desigo PX
Controllers (Last Update: 2018-03-20)
 SSA-470231: TPM Vulnerability in
SIMATIC IPCs (Last Update: 2018-03-15)
 SSA-203306: Password Vulnerabilities in
SIPROTEC 4 and SIPROTEC Compact Relay
Families (Last Update: 2018-03-08)
 SSA-845879: Firmware Downgrade
Vulnerability in EN100 Ethernet
Communication Module for SIPROTEC 4,
Page 16
 SIPROTEC Compact and Reyrolle
(Last Update: 2018-03-08)
 SSA-892715: ME, SPS and TXE
Vulnerabilities in SIMATIC IPCs
(Last Update: 2018-02-22)
 SSA-127490: Vulnerabilities in SIMATIC
WinCC Add-Ons
(Last Update: 2018-02-22)
 SSA-651454: Vulnerabilities in
TeleControl Server Basic
(Last Update: 2018-01-25)
 SSA-284673: Vulnerability in Industrial
Products (Last Update: 2018-01-18)
 SSB-068444: General Customer
Information for Spectre and Meltdown
(Last Update: 2018-01-15)
Updated Advisories
Within the last quarter Siemens ProductCERT
updated ten Security Advisories which could
be of relevance for Siemens Industrial
customers.
Two vulnerabilities have been identified
in SIMATIC S7-300 and S7-400 CPU families.
One vulnerability could lead to a Denial-of-
Service, the other vulnerability could result
in credential disclosure (SSA-731239).
Multiple vulnerabilities affecting WPA/WPA2
implementations were identified by a
researcher and publicly disclosed under the
term "Key Reinstallation Attacks" (KRACK).
These vulnerabilities could potentially allow
an attacker within the radio range of the
wireless network to decrypt, replay or inject
forged network packets into the wireless
communication (SSA-901333).
The latest updates for RUGGEDCOM ROS
based devices and some SCALANCE X switch
models fix a security vulnerability that could
allow unauthenticated remote users to
perform administrative operations on the
devices as the RUGGEDCOM RCDP protocol
was not properly configured after
commissioning (SSA-856721).
Several industrial devices are affected by two
vulnerabilities that could allow an attacker
to cause a Denial-of-Service condition via
PROFINET DCP network packets under certain
circumstances. Precondition for this scenario
is a direct Layer 2 access to the affected
products. PROFIBUS interfaces are not
affected (SSA-275839 and SSA-293562).
SSA-346262 discusses a a vulnerability that
could allow remote attackers to conduct
a Denial-of-Service (DoS) attack by sending
specially crafted packets to port 161/udp
(SNMP).
SSA-701708: In non-default configurations
several industrial products are affected by a
vulnerability that could allow local Microsoft
Windows operating system users to escalate
their privileges.
Siemens ProductCERT updated the following
list of advisories.
 SSA-323211: Vulnerabilities in SIPROTEC
4 and SIPROTEC Compact Devices
(Last Update: 2018-03-15)
 SSA-293562: Vulnerabilities in Industrial
Products (Last Update: 2018-03-06)
 SSA-856721: Vulnerability in Ruggedcom
Discovery Protocol (RCDP) of Industrial
Communication Devices
(Last Update: 2018-02-22)
 SSA-346262: Denial-of-Service in
Industrial Products
(Last Update: 2018-02-22)
 SSA-275839: Denial-of-Service
Vulnerability in Industrial Products
(Last Update: 2018-02-22)
 SSA-701903: SMBv1 Vulnerabilities in
Ultrasound Products from Siemens
Healthineers (Last Update: 2018-02-22)
 SSA-901333: KRACK Attacks
Vulnerabilities in Industrial Products
(Last Update: 2018-01-24)
 SSA-731239: Vulnerabilities in SIMATIC
S7-300 and S7-400 CPUs
(Last Update: 2018-01-24)
 SSA-701708: Local Privilege Escalation in
Industrial Products
(Last Update: 2018-01-18)
Stay up to Date
At the following website, Siemens security
advisories and bulletins issued by
ProductCERT are listed and constantly
updated:
http://www.siemens.com/cert/advisories
To receive a customized overview on
the advisories applicable for you and
patching status use the Siemens
Security Vulnerability Information App:
https://support.industry.siemens.com/cs/d
ocument/109755211/sales-and-delivery-
release-of-mindapp-security-vulnerability-
information-v1-0?dti=0&lc=en-WW
If you would like to report a vulnerability or
security issues relating to Siemens products,
solutions or services, please contact:
[email protected]
Page 17
Research News
Conferences and Proceedings
Siemens ProductCERT and CustomerCERT
experts attend conferences relevant for the
security of products, solutions and services
for Siemens and its customers.
In the following sections, we will give a brief
overview of relevant talks and research
results.
34c3 – 34th Chaos
Communication Congress
End of December the 34c3 [1] took place in
Leipzig, Germany and we want to give
a short summary of the talks that Siemens
identified as of importance for its customers
from the industrial automation field.
Mathias Dalheimer from the Fraunhofer
Institute analyzed one instance of charging
infrastructure for electrical cars in Germany
and discussed two problems in his talk.
The first weaknesses are with the payment
infrastructure that is based on encoded card
numbers on the NFC chip of a charging card.
This would be the equivalent to credit cards
without expiry date and security code. The
second weaknesses are with the devices. The
devices seemed to use unencrypted HTTP for
transmitting payment information and would
store configuration files including passwords
on inserted USB sticks.
Independent security researcher Thomas
Roth did a talk “SCADA – Gateway to (s)hell”
and covered a number of topics. Thomas
claims that much security research has been
done on PLCs, and vendors of PLCs
introduced security into their new PLCs.
The new area of research is IP Gateways (i.e.
Serial-to-Ethernet) which connect devices
that should never be on the Network to
Ethernet. He found a number of security
vulnerabilities in devices from various
manufacturers (except Siemens).
Digitalbond’s S4x18 Industrial
Security Conference
Beginning of January Dale Peterson opened
the doors for his annual Industrial Security
Conference S4x18 [2] in Miami, USA.
Fireeye, Schneider Electric, and Dragos did
consecutive presentations on TRITON/TRISIS
and covered general information, technical
details as well as some reverse engineering
results. Digitalbond has released the
recordings of these talks [3-5]. Claroty,
Nozomi, Security Matters and Gravwell took
with their solutions part in an ICS Detection
Challenge. The participants received a PCAP
of more than 3GB comprising data from 15
different sites.
The PCAP was anonymized and represented
an Oil and Gas company. The results were
close, as each competitor was better in some
areas than the others. Nonetheless, Claroty
came out on top, winning by just a few
points.
Page 19
After two other conferences David Atch from References
CyberX did again his talk on exfiltrating
[1]
reconnaissance data from air-gapped ICS
https://events.ccc.de/congress/2017/Fahrplan
networks by injection ladder logic into PLCs.
/
The researcher accomplished the exfiltration
by generating radio emissions via ladder [2] https://s4x18.com/agenda/
logic. This covert channel requires access
[3]TRITON Mandiant Analysis
to the device prior to exfiltration. David used
https://www.youtube.com/watch?v=nAU8X0
a SIMATIC S7-1200 for his proof of concept.
3Eg9c
However, this is not a product vulnerability
and could be achieved with other devices as [4] TRITON Schneider Electric Disclosure
well. https://www.youtube.com/watch?v=f09E75b
Wvkk
William Middleton from Siemens presented
an approach to secure, maintain and [5] TRITON Dragos Reverse Engineering
automate their ICS Testlab which includes https://www.youtube.com/watch?v=m51Jrxd
equipment from various customers at the vEV8
same time.
Ang Cui from Red Balloon Security presented
a semi-automated approach to automatically
detect n-day vulnerabilities in firmware,
automatically generate an exploit for the
specific device and in the end to
automatically fix it. Their research and
solution is currently being tested by DHS.
David Smith from Schneider Electric gave
a quick update on the progress of the Secure
Modbus specification. According to him,
they are making good progress and initial
documents will be published soon.

Observed and Derived Trends

from the Conferences Attended
Last Quarter
 IT-Security (concepts, protocols,
and vulnerabilities) in the context
of “Internet of Things” and inter-
connected devices receives more
attention
 Hardware hacking becomes a significant
step and part of reverse engineering
firmware and devices
 Anomaly Detection for Asset
Discovery/Enumeration and Attack
Detection/Investigation remains a hot
topic that continues to gain momentum
 People are beginning to realize that
efforts should not only be put into attack
prevention but also into attack detection
and correction

Page 20
Critical Vulnerabilities
within common
Third-Party Components
The last Quarter in Review
Siemens is constantly monitoring
vulnerabilities of 30,000+ components that
are used not only within its own products but
also within important parts of customer
plants.
During the first quarter of 2018, Siemens has
notified customers of the Industrial Security
Services about 234 critical vulnerabilities
within components that it, or its customers,
are using. The most important vulnerabilities
are summarized below to help you
understand which components you should
check on your own systems or within your
own products and solutions.
Tip: You can now streamline the vulnerability
handling process. Receive the vulnerability
notifications and link to vendor patches
directly to your personalized online
dashboard – customized for your specific
component list – via the Security
Vulnerability Information (SVI) app from
Siemens.
Gemalto HASP SRM
Multiple vulnerabilities were identified in the
hasplms service that is a part of Gemalto’s
HASP SRM, Sentinel HASP and Sentinel LDK
products: denial of service, NTLM-relay
attack, remotely enabling web admin
interface, arbitrary memory read and remote
code execution. Vulnerable products are
commonly used for licenses control and
management among various business
sectors: industrial control systems, financial
institutions, banking solutions etc.
https://ics-
cert.kaspersky.com/alerts/2017/07/28/multipl
e-vulnerabilities-found-in-popular-license-
manager/
https://ics-
cert.kaspersky.com/alerts/2017/10/03/several
-more-vulnerabilities-found-and-closed-in-
popular-license-manager/
Cisco
A vulnerability in the XML parser of Cisco
Adaptive Security Appliance (ASA) Software
could allow an unauthenticated, remote
attacker to cause a reload of the affected
system or to remotely execute code. An
attacker could exploit this vulnerability by
sending a crafted XML packet to a vulnerable
interface on an affected system. An exploit
could allow the attacker to execute arbitrary
code and obtain full control of the system.
https://tools.cisco.com/security/center/conten
t/CiscoSecurityAdvisory/cisco-sa-20180129-
asa1
BlueBorne
Known under the collective name of
"BlueBorne", a number of vulnerabilities
affecting various Bluetooth stacks can be
combined to leverage Bluetooth connections
to leak information or take over affected
devices. Platforms were affected to different
degrees: on most Linux and Android devices
remote code execution could be achieved,
the Windows implementation of the
Bluetooth stack was vulnerable to man-in-
the-middle attacks, iOS devices where only
affected if running older versions of the
operating system.
https://www.armis.com/blueborne/
Spectre and Meltdown
Although described in detail at the beginning
of this document, both Spectre and
Meltdown deserve their place in this section
of critical vulnerabilities in common
third-party components.
https://meltdownattack.com/
Page 22
KRACK Intel Active Management
By exploiting various flaws in the WPA2 Technology Default Credential
handshake protocol, a rogue access point
The Intel AMT is a solution to allow full
which mimics a legitimate one could
remote maintenance access to a system. It is
intercept and replay a specific frame in order
protected with its own password that should
to cause clients to re-use the same
be changed by the system’s manufacturer
encryption keys over and over again (hence
according to Intel’s recommendations, but
the name, Key Reinstallation AttaCK),
often defaults to “admin”. Thus, an attacker
effectively weakening (and in some instances
with physical access can press CTRL-P during
completely breaking) the WPA2 encryption.
boot, access the Intel Management Engine
If the content transmitted over the Wi-Fi
BIOS Extension (MEBX) menu, log in, change
network is unencrypted (e.g. HTTP traffic)
the password and enable remote
this could leak sensitive information. While
management features, subsequently
the vulnerabilities are not strictly critical,
obtaining remote access to the system. Intel
the fact that they reside in the protocol itself
recommends setting the default password
– and are therefore not bound to a specific
and provisioning Intel AMT on capable
implementation – resulted in a wide number
platforms.
of affected devices.
https://press.f-secure.com/2018/01/12/intel-
https://www.krackattacks.com/
amt-security-issue-lets-attackers-bypass-
login-credentials-in-corporate-laptops/
https://www.intel.com/content/dam/support/
us/en/documents/technologies/Intel_AMT_Se
curity_Best_Practices_QA.pdf

Page 23
Siemens Aktiengesellschaft
Digital Factory
Postfach 48 48
90026 Nürnberg
Deutschland
Subject to change without prior notice

Printed in Germany
© Siemens AG 2018

The information provided in this brochure contains merely general descriptions or

characteristics of performance which in case of actual use do not always apply as described or
which may change as a result of further development of the products. An obligation to provide
the respective characteristics shall only exist if expressly agreed in the terms of contract.
All product designations may be trademarks or product names of Siemens AG or supplier
companies whose use by third parties for their own purposes could violate the rights of the
owners. Siemens provides products and solutions with industrial security functions that
support the secure operation of plants, systems, machines and networks. In order to protect
plants, systems, machines and networks against cyber threats, it is necessary to implement –
and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’
products and solutions only form one element of such a concept.
The customer is responsible to prevent unauthorized access to its plants, systems, machines
and networks. Systems, machines and components should only be connected to the enterprise
network or the internet if and to the extent necessary and with appropriate security measures
(e.g. use of firewalls and network segmentation) in place.
Additionally, Siemens’ guidance on appropriate security measures should be taken into
account. For more information about industrial security, please visit:
http://www.siemens.com/industrialsecurity
Siemens’ products and solutions undergo continuous development to make them more secure.
Siemens strongly recommends to apply product updates as soon as available and to always use
the latest product versions. Use of product versions that are no longer supported, and failure
to apply latest updates may increase customer’s exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security
RSS Feed:
http://www.siemens.com/industrialsecurity.