The US Computer Emergency Response Team (CERT) has issued advisory ICSA-16-161-02, which is warning of “weakly protected” credentials in Siemens SIMATIC WinCC flexible industrial control system.
Due to this weak protection, any data it sends over the network could be listened to and decrypted.
According to CERT, Gleb Gritsai and Roman Ilin from Positive Technologies reported this issue directly to Siemens, and fortunately Siemens has already produced an update to mitigate this vulnerability.
The advisory reads, “Attackers capturing network traffic of the remote management module could possibly reconstruct user credentials.The remote management module of SIMATIC WinCC flexible panels and SIMATIC WinCC flexible runtime transmits weakly protected credentials over the network. Attackers capturing network traffic of the remote management module could possibly reconstruct the credentials.”
CERT have said that Impact to individual organisations depends on many factors that are unique to each organisation.
However it advised that companies should protect network access to devices running SIMATIC WinCC flexible with appropriate mechanisms, and configure the environment according to Siemens operational guidelines in order to run the devices in a protected IT environment.
Other defensive measures advised by CERT to minimise the risk of exploitation of these vulnerabilities include:
● Minimise network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
● Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
● When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognising that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognise that VPN is only as secure as the connected devices.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).
CERT says organisations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
David Emm, principal security researcher at Kaspersky Lab told SCMagazineUK.com that, "It's not the first time vulnerabilities have been found in this system: Stuxnet targeted Siemens SIMATIC WinCC. There is no such thing as 'bullet-proof' software, so there's always a risk of vulnerabilities being found. However, because this operating system is designed specifically for ICS, the potential impact of any vulnerability can be huge.
Emm explained that, "For this reason, it's vital that companies apply security updates, to reduce their attack surface. On top of this, they need to control the flow of data to and from critical systems. This is not simply a technology issue, but involves an ongoing security processes that include technology, processes and people.
Marta Janus, Security Researcher at Kaspersky Lab told SC that, "The remote management module of WinCC doesn't properly encrypt the credentials while transmitting them over the network, therefore the attacker who already has an access to the company's network can intercept the traffic, extract the sloppily encrypted credentials and try to reconstruct them back to the clear text. Since there are no technical details on the flawed encryption routine itself, it's hard to say how easy it would be to crack/decrypt the passwords. But it seems that for someone with adequate knowledge it would be certainly possible."