Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Can Exploit Siemens Control System Flaws in Attacks on Power Plants

Power plants can be targeted by hackers via flaws in Siemens control system

Power plants can be targeted by hackers via flaws in Siemens control system

The Siemens SPPA-T3000 distributed control system, which is designed for fossil and renewable power plants, is affected by over 50 vulnerabilities, including flaws that can be exploited to disrupt electricity generation.

According to Siemens, the SPPA-T3000 Application Server is affected by 19 vulnerabilities and the SPAA-T3000 MS3000 Migration Server is impacted by 35 security holes, including weaknesses rated critical that can be exploited for denial-of-service (DoS) attacks or arbitrary code execution on the server.

A majority of the vulnerabilities were discovered by researchers at Kaspersky and Positive Technologies, and a handful by an expert from Turkish cybersecurity company Biznet Bilişim. Kaspersky and Positive Technologies started reporting the vulnerabilities to Siemens in October 2018 and December 2018, respectively.

In addition to flaws that allow DoS attacks and arbitrary code execution, the researchers also discovered security holes that can be exploited to obtain and change user passwords, obtain directory listings and files containing sensitive information, escalate privileges to root, enumerate running RPC services, upload arbitrary files without authentication, read and write arbitrary files on the local file system, access paths and filenames on the server, enumerate usernames, and access logs and configuration files.

Many of the flaws are very similar, but they have been assigned different CVE identifiers.

Siemens says exploitation of the vulnerabilities requires access to the Application Highway or the Automation Highway, and these network segments should not be exposed if the system has been set up as specified in the product’s security manual.

“The application network is where the power plant operator controls everything and sends commands to the server,” Kaspersky experts told SecurityWeek. “The server is also connected to the automation network with equipment connected to turbines and other field devices.”

Kaspersky says it’s typically not an easy task to gain access to these networks.

Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s 2020 ICS Cyber Security Conference

Siemens is working on updates that should patch the vulnerabilities, and in the meantime it has advised customers to implement a series of mitigations that can prevent potential attacks.

Siemens says it has found no evidence to suggest that any of these vulnerabilities have been exploited in the wild. However, researchers from Positive Technologies and Kaspersky have told SecurityWeek that exploitation of some of these flaws could have serious consequences.

Vladimir Nazarov, head of ICS security at Positive Technologies, said exploitation of the vulnerabilities found by their researchers can allow an attacker to “cause a loss of observability on the process technology” (e.g. via DoS attacks), or send arbitrary commands to control field equipment, which could result in disruptions to power generation.

“By exploiting some of these vulnerabilities, an attacker could run arbitrary code on an application server, which is one of the key components of the SPPA-T3000 distributed control system,” Nazarov explained. “Attackers can thereby take control of operations and disrupt them. This could stop electrical generation and cause malfunctions at power plants where vulnerable systems are installed.”

Nazarov added, “As per the vulnerabilities in MS3000, that interacts directly with the controllers (all commands to controllers come out of the Application Server, go to MS3000 and then to the controllers). It means that the RCE on the MS3000 allows to interact with the controllers and cause almost the same things as described above.”

Kaspersky says it has heard speculation that exploitation of the vulnerabilities could result in physical impact on power generation infrastructure, but they could not confirm the possibility.

Both Kaspersky and Positive Technologies said that while some of the flaws they have found are easy to exploit, others require extensive knowledge of the targeted system. Kaspersky says attacks that impact safety or lead to power outages require more advanced knowledge of the targeted system.

Related: Vulnerability in ABB Plant Historian Disclosed 5 Years After Discovery

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.