A critical vulnerability affecting some of Siemens’ industrial control systems (ICS) designed for the energy sector could allow malicious hackers to destabilize a power grid, according to the researchers who found the security hole.
The vulnerability, tracked as CVE-2023-28489, impacts the CPCI85 firmware of Sicam A8000 CP-8031 and CP-8050 products, and it can be exploited by an unauthenticated attacker for remote code execution. These products are remote terminal units (RTUs) designed for telecontrol and automation in the energy supply sector, particularly for substations.
Patches are available in firmware versions CPCI85 V05 or later, and the German industrial giant also noted that the risk of exploitation can be reduced by limiting access to the web server on TCP ports 80 and 443 using a firewall.
In an advisory published on April 11, Siemens said it learned about the flaw from a team of researchers at cybersecurity consultancy SEC Consult, which is now part of Eviden, an Atos business.
Johannes Greil, head of the SEC Consult Vulnerability Lab, told SecurityWeek that an attacker who can exploit CVE-2023-28489 can take complete control of a device and they could potentially destabilize a power grid and possibly even cause blackouts by changing critical automation parameters. Threat actors could also leverage the vulnerability to implement backdoors.
However, the expert noted that since these devices are mostly used in critical infrastructure environments, they are typically ‘strongly firewalled’ and are not accessible directly from the internet.
“It cannot be ruled out though that some devices might be reachable through 3rd party support access connections or potential misconfigurations,” Greil explained.
Exploitation of CVE-2023-28489 can allow an attacker who has network access to the targeted device to gain full root access without any prior authentication. Exploitation of the flaw involves sending a specially crafted HTTP request to the targeted RTU.
The US Cybersecurity and Infrastructure Security Agency (CISA) also published an advisory in April to inform organizations about the vulnerability.
Greil pointed out that Siemens Sicam products are among the first devices in the world to receive ‘maturity level 4’ certification in the Industrial Cyber Security category. This certification, IEC62443-4-1, indicates that security was an important factor throughout the design and development process and that the product has undergone rigorous testing.
SEC Consult is currently not releasing any technical details to prevent malicious hackers from potentially misusing the information.
However, the company told SecurityWeek that it has found multiple vulnerabilities in Siemens products that are in the process of being fixed and some technical details will be disclosed after patches are rolled out.
Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
October 23-26, 2023 | Atlanta
Related: Microsoft Warns of Boa Web Server Risks After Hackers Target It in Power Grid Attacks
Related: Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Related: Omron PLC Vulnerability Exploited by Sophisticated ICS Malware