A friend sent me a 24-page Network Security brochure from Siemens dated May 2012 with more detail on Siemens S7 security offerings and overall security strategy (we will add the link when it is up on the Siemens site). We would still like to get more technical detail, pricing, and ultimately our hands on some of these new products, but there is enough information here to draw some conclusions.
Some have played the “it wouldn’t have stopped Stuxnet” card. Well no single technical solution would have stopped Stuxnet, and I’ll address that at the end of the blog.
I’ve been quite vocal about Siemens lack of response, honesty and forthrightness with customers on Stuxnet, Beresford and other cyber security issues. The company went 625-days without any response to the PLC vulnerabilities. Now they did something, so that is good. The perfect should not be the enemy of the good, and hopefully this along with better responses to WinCC vulns (pdf) is a sign of movement in the right direction.
The advanced Communications Processor (CP) modules for the S7-300 and S7-400 are basically the Siemens SCALANCE firewall/VPN product integrated with an Ethernet module that fits into the S7 PLC. It is similar to Byres’ Tofino modules that are built for Honeywell, Invensys, and other vendor PLC platforms. Tofino has deep packet inspection for Modbus and OPC, while it does not appear that the Siemens modules have this capability for PROFINET, S7 or anything but IP.
The VPN would stop an attacker who had gained access to the PLC network, but had not compromised a HMI or EWS with a VPN client, from communicating with the S7 PLC. While Stuxnet compromised the WinCC PC’s first, Beresford showed and Langner has commented that this was not necessary. The VPN adds a step in the attack chain of compromising a VPN client system prior to attacking the S7 PLC.
The firewall feature is of lesser value in most typical SCADA and DCS architectures, especially if the VPN is used. It could offer some protection if the unnecessary ports are not closed on the S7. It may stop a novice attacker or automated malware that is not able to hijack an IP address.
The biggest benefit of these new CP modules is it is a S7 PLC module solution rather than a bump-in-the-wire/external solution that was previously available in the SCALANCE product line. This makes deployment much easier. Pricing is not yet released, but hopefully the Advanced CP module with encryption and firewall is only a small premium over the standard CP module. The downside to this product marketing strategy is the Advanced CP module does not appear to have PROFINET and most Siemens customers now buy the Ethernet + PROFINET module. So the Advanced CP may end up being an additional security module rather than a replacement comms module.
Of course all these good aspects assume the security controls have been implemented properly, and we hope to get our hands on the S7-300 Advanced CP module soon for testing in Project Basecamp. For example, is there some way to circumvent the VPN if it fails? This is something that many customers would unfortunately ask for.
These new modules do not fixed any of the underlying security problems in the S7 protocol or firmware. The password vulnerabilities, replay issues and default credentials are not addressed by the new hardware. The protocol still lacks of source or data authentication. If an attacker can access the S7 it is still insecure by design.
Siemens is maintaining the approach that the solution is to not let the bad guys get to the insecure PLC. This is very disappointing given that almost two years have passed since Stuxnet.
It also is illogical with the Siemens emphasis on defense in depth. A defense in depth strategy would dictate that you don’t rely solely on preventing access to a system. Instead, the depth would be that the system can withstand an attack if the security controls designed to prevent access to the system’s external interface fail.
There appears to be no additional authentication or access control to limit what an attacker can do once they can access the S7 PLC. If the VPN is established, the S7 PLC is in the same vulnerable state allowing writes, ladder logic uploads, and more.
There are Siemens access control measures for Siemens software, but an attacker does not need to use Siemens software to access the PLC over an established VPN. The Siemens Logon application effectively controls honest users access rights, not an adversaries.
Another area Siemens has not changed is in making bold statements and marketing and business moves. The best example is from the opening section:
Siemens’ comprehensive industrial security offering includes support in implementing targeted measures to protect against every threat scenario imaginable
No company or person serious about security would say such a thing, and The Bad section in this post identifies many obvious failings that have not been addressed.
Beyond the words, the “if you are worried about our vulnerable PLC then buy our hardware” strategy is incredibly bold. Why not a firmware upgrade version of at least the VPN capability? Or even better, a firmware upgrade to address the real root causes of the insecurity in the S7?
If the hardware module addressed the real security issues in the S7 it would be easier to recommend spending the time and money to upgrade. The module just builds a higher wall with an extra lock on the door around the vulnerable PLC.
It Wouldn’t Have Stopped Stuxnet
When this announcement came out, a number of experts commented that “this wouldn’t have stopped Stuxnet”. They are right. But no single product or security control will stop something like Stuxnet. This should not be the criteria when we evaluate potential security controls.
In a presentation on whitelisting at S4, Andrew Ginter said,
The reason the worm (Stuxnet) was susceptible to these security techniques (whitelisting) is because none of those techniques were in use at its target. Had those techniques been in use at its target, you would have seen the authors of the worm make a bigger effort to (circumvent those security techniques)
Just because whitelisting could have been effective in stopping initial Stuxnet infections it is not the silver bullet. It is a useful security control to consider. Just because a VPN or adding data and source authentication to ICS protocols would not have stopped Stuxnet does not mean they are not of significant value as security controls.
The Stuxnet Clock
Some readers have suggested we put the Stuxnet clock back up. They have a point since there have not been fixes to the S7 security flaws. But Siemens did something. Not what we would have recommended, and not enough, but they did finally have some security answer for the S7.
Schneider and especially GE have been similarly quiet on addressing vulnerabilities identified in Project Basecamp. The right sidebar could be littered with clocks on PLC vendors. So for now we have removed the Stuxnet clock pending a more thorough review of these new modules.
Image by Siemens