We have been running a Stuxnet clock in the right sidebar with the tag line: Siemens has not fixed Stuxnet S7 vulns for … Yesterday Siemens officially announced a firewall and VPN solution that should prevent the Stuxnet attack on the S7 PLC. So we have stopped the clock at 625 days, the time since Ralph Langner announced on 13 Sept 2010 that Stuxnet attacked the PLC to this Siemens press release.
I hope to be able to interview Siemens and get more answers on the solution in the near future, but here is what we can gleam from the press release:
- There is a new Communications Processor for the S7 300 and S7 400 PLC’s that has a firewall and VPN capability. For those new to ICS, think of this as an Ethernet card with security. If Siemens did this right, it should prevent an attacker with logical access to the PLC network from uploading rogue ladder logic a la Stuxnet.
- There is a new Simatic NET CP 1628 module for HMI and Engineering Workstations that includes a firewall and VPN client, presumably to communicate with the S7 PLC’s. It is unclear whether this hardware module is required to create the VPN to the new S7 Communication Processors. This capability should also be standard in the software, and the hardware version should be available for those requiring a higher degree of security.
I have been tough on the Siemens’ response to Stuxnet, pointing out their lack of response and incomplete and misleading information to customers. Now Siemens deserves praise for getting a solution out for customers that are concerned about plant integrity. As Project Basecamp has highlighted, most of the leading PLC’s have the same issues and there has been little effort to fix the problem or offer a secure solution.
The obvious question is why didn’t Siemens offer a similar capability as a firmware upgrade to the currently deployed systems?
Siemens’ PLC market has largely moved to buying the new PROFINET CPUs with embedded Ethernet interface so a Communications Processor card is not necessary. Is Siemens telling these customers they will need to buy the new Communications Processor as a security card? The decision in product marketing appears to be how to maximize profit in fixing this problem.
All that said … Siemens has a security answer to PLC integrity where most PLC vendors do not. It certainly is less expensive to purchase and deploy a new Communications Processor card than replace an entire PLC/RTU such as the GE D20.
We are looking forward to getting more technical details, especially around how granular the firewall and authorization rules can be programmed. Is it access allowed yes/no, or can access be restricted to various functions and administrative actions? More to come on this.
Image by Search Engine Blog Engine