This post was updated on March 3, 2020.
On August 13, 2019, the Siemens CERT Team, in collaboration with Nozomi Networks Labs, issued an Advisory concerning a vulnerability in Siemens SCALANCE switch devices.
The Siemens CERT Advisory (SSA-100232) describes this vulnerability, and indicates that its successful exploitation could allow a remote attacker to render the switch FX series unavailable (fault mode) by causing a reboot of the device. A second implication is an interruption of the communication management of the network controlled by the device itself.
Nozomi Networks Labs responsibly disclosed the security issue to Siemens CERT and CISA. This effort is part of ongoing research conducted by Nozomi Networks Labs to test common devices for vulnerabilities. For example, the Labs team recently presented its research on securing intelligent electronic devices (IEDs) using the IEC 62351-7 Standard for Monitoring at BlackHat 2019. While doing this analysis, we discovered a previously unknown device vulnerability.
The Siemens CERT Advisory highlights the challenge of safeguarding industrial systems that include long-lived, insecure legacy devices. It is one of three ICS-CERT advisories related to Siemens products reported by our team in the last year.
Read on to learn about this vulnerability and other legacy device risks that are all too common in industrial facilities.
Overview of the Switch Vulnerability Reported by Nozomi Networks Labs
The vulnerability covered by the Siemens CERT Advisory applies to Siemens SCALANCE XF series switches. Specifically, the products affected include:
- All SCALANCE XF-208 switches at revisions <= v5.2.3
Siemens describes the role of these controllers as:
“Equipped for all ambient conditions – in our Industrial Ethernet switches portfolio, you are sure to find the right switch for your application: devices with copper or fiber-optic ports, for the control cabinet or for use in harsh environments, at data rates of up to 10 Gbps.
This gives you flexibility in designing the network topology: from redundant setup and minimization of downtimes, through integrated and reliable segmentation across all levels to barrier-free connection to cloud-based systems.
Siemens offers you all this from a single source: an integrated range of products and systems for automation in all areas – from incoming goods, through the production process to the dispatch of goods, from the machine and aggregation level, through the industrial backbone to connection to the enterprise network.”
According to ICS-CERT, these devices are used worldwide in infrastructure sectors such as:
- Critical manufacturing
- Food and agriculture
- Healthcare and public health
During Nozomi Networks research on the implementation of the IEC 62351-7 Standard for securing smart grid facilities, our Labs team discovered a vulnerability that highlights the challenges of securing legacy ICS devices.
Nozomi Networks Labs’ Vulnerability Analysis
At Black Hat USA 2019 in Las Vegas last week, Nozomi Networks presented a novel monitoring approach (using the Nozomi Networks Smart Polling solution) for securing power grid intelligent electronic devices (IEDs). During our latest research on the implementation of the IEC 62351-7 Standard for securing smart grid facilities, we decided to do more in-depth analysis on the current security posture of some of the devices used in our Black Hat demo scenarios.
SSA-100232: Denial-of-Service Vulnerability in SCALANCE X Switches, August 13, 2019
- ICS-CERT Advisory: ICSA-19-225-03 – Siemens SCALANCE X Switches
- NIST/NVD: CVE-2019-10942
- Reported by Nozomi Networks Labs
The new vulnerability permits a remote threat actor to cause an uncontrolled resource consumption via the Telnet service used for managing and configuring the device itself. A remote attacker could cause a Denial of Service (DoS) triggered by sending crafted packets to the device, changing its state in fault mode and causing an instant reboot. As a consequence, all the devices in the same network would no longer be able to communicate, which would also disrupt the low-level process.
Siemens Plans to Issue Updates that Eradicate Device Vulnerabilities
Siemens has issued a Security Advisory for the SCALANCE FX-series switch vulnerability, including suggested workarounds and mitigations that customers can apply to reduce the risk. Additional patches are expected to be shared by Siemens soon.
Based on our experience with previous disclosures and collaborations with Siemens CERT, the vulnerability was handled in a timely and effective manner by the Siemens security team.
Widespread Use of Devices Has Safety and Business Impacts
The widespread use of SCALANCE switches throughout multiple industries around the world highlights the challenges of securing both IT and OT networks. Additionally, the extended lifespans of these devices in industrial facilities means that organizations may still be utilizing vulnerable assets within these sensitive environments. The security challenge is further complicated because critical control devices can’t be readily taken offline for patching.
To assess your organization’s level of cyber risk to such vulnerabilities, it’s important to have visibility into the susceptible devices in your facilities and use that information in your remediation plan. The ideal security program needs to consider cyber risks, safety and environmental concerns, as well as business impacts.
Recommended Solutions and Mitigations
Siemens has provided a set of recommendations, including standard mitigations, to protect impacted end users from the vulnerability. These mitigations are outlined in the Security Advisory and include:
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may also have vulnerabilities and should be updated to the most current versions available. Industrial operators need to be aware that VPNs are only as secure as the connected devices.
Nozomi Networks Unified Solution Automatically Identifies Affected Systems
Nozomi Networks customers using Threat Intelligence benefit from custom signatures that identify vulnerabilities as soon as they are discovered. Customers automatically receive alerts letting them know which assets are vulnerable, along with suggested steps for remediation.
Take Action Against Cyber Risk from Legacy Devices
While the challenge of securing legacy industrial devices is formidable, effective tools and helpful information is now available.
The use of threat intelligence to identify which devices have specific vulnerabilities and machine learning to automatically detect threats and vulnerabilities in industrial systems is becoming more imperative given the quickly changing security climate.
Armed with this information, you can prioritize the actions needed to improve the cyber security posture of your industrial operations.
Related Content to Download
“The Future of Securing Intelligent Electronic Devices
Using the IEC 62351-7 Standard for Monitoring”
Learn about the latest innovations in power grid cybersecurity:
- (In)Secure Smart Grids: State of the Industry
- WG15 and the IEC 62351-7 Standard
- DEMO: Active Monitoring in Action
- Future of the Threat Detection Landscape
no registration required
- ICS-CERT Advisory: Siemens SCALANCE X Switches (ICSA-19-225-03)
- Data Sheet: Siemens Security Advisory CERT SSA-100232
- Website: Common Vulnerabilities and Exposures: CVE-2019-10942 NIST/NVD Database
- Nozomi Networks Labs Blog: Black Hat: The Future of Securing Power Grid Intelligent Devices
- Video: The Future of Securing Intelligent Electronic Devised Using the IEC 62351-7 Standard for Monitoring
- Nozomi Networks Labs Blog: What You Need to Know About LookBack Malware & How to Detect It
- Website: Nozomi Networks Labs
Security Research Manager, Nozomi Networks
Alessandro Di Pinto is an Offensive Security Certified Professional (OSCP) with an extensive background in malware analysis, ICS/SCADA security, penetration testing and incident response. He holds GIAC Reverse Engineering Malware (GREM) certification, which recognizes technologists with the skills and knowledge to reverse engineer malware and conduct forensic investigations. In his role as Security Researcher with Nozomi Networks, he co-authored the research paper TRITON: The First ICS Cyber Attack on Safety Instrument Systems.
Younes Dragoni is a member of the World Economic Forum’s Global Shaper Community, a worldwide network of young people actively shaping our future through solution building, policy-making and lasting change. His fascination with computer security, and desire to be on the offensive side, began many years ago. Now, as Security Researcher with Nozomi Networks, Younes thrives on hunting down vulnerabilities in automation devices (ICS/SCADA) and examining malicious software to understand the nature of threats to industrial operations.