Password Protection Vulnerability in Siemens
SIMATIC Controllers
(S7-200, S7-300, S7-400, S7-1200)
July 5, 2011
Security researcher Dillon Beresford of NSS Labs reported
multiple vulnerabilities to ICS-CERT that affect the Siemens
Simatic S7-1200 micro PLC as reported in ICS-CERT Alert
11-161-01 and reported on
SCADAhacker
via
this reference entry.
Commands between the affected PLCs and other devices are
transmitted using the International Organization for
Standardization Transport Service Access Point (ISO-TSAP)
protocol. According to ICS-CERT analysis, the ISO-TSAP
protocol is functioning to specifications; however,
authentication is not performed nor are payloads encrypted
or obfuscated. Like ISO-TSAP, many protocols used in
industrial control systems were intentionally designed to be
open and without security features. The replay attack
vulnerabilities affecting the S7-1200 also are verified to
affect the SIMATIC S7-200, S7-300, and S7-400 PLCs. Siemens
PLCs configured with password protection are still
susceptible to a replay attack.
An attacker with access to the PLC or the automation network
could intercept the PLC password and make unauthorized
changes to the PLC operation.