The Siemens SPPA-T3000 distributed control system, which is designed for fossil and renewable power plants, is affected by over 50 vulnerabilities, including flaws that can be exploited to disrupt electricity generation.
According to Siemens, the SPPA-T3000 Application Server is affected by 19 vulnerabilities and the SPAA-T3000 MS3000 Migration Server is impacted by 35 security holes, including weaknesses rated critical that can be exploited for denial-of-service (DoS) attacks or arbitrary code execution on the server.
A majority of the vulnerabilities were discovered by researchers at Kaspersky and Positive Technologies, and a handful by an expert from Turkish cybersecurity company Biznet Bilişim. Kaspersky and Positive Technologies started reporting the vulnerabilities to Siemens in October 2018 and December 2018, respectively.
In addition to flaws that allow DoS attacks and arbitrary code execution, the researchers also discovered security holes that can be exploited to obtain and change user passwords, obtain directory listings and files containing sensitive information, escalate privileges to root, enumerate running RPC services, upload arbitrary files without authentication, read and write arbitrary files on the local file system, access paths and filenames on the server, enumerate usernames, and access logs and configuration files.
Many of the flaws are very similar, but they have been assigned different CVE identifiers.
Siemens says exploitation of the vulnerabilities requires access to the Application Highway or the Automation Highway, and these network segments should not be exposed if the system has been set up as specified in the product’s security manual.
“The application network is where the power plant operator controls everything and sends commands to the server,” Kaspersky experts told SecurityWeek. “The server is also connected to the automation network with equipment connected to turbines and other field devices.”
Kaspersky says it’s typically not an easy task to gain access to these networks.
Siemens is working on updates that should patch the vulnerabilities, and in the meantime it has advised customers to implement a series of mitigations that can prevent potential attacks.
Siemens says it has found no evidence to suggest that any of these vulnerabilities have been exploited in the wild. However, researchers from Positive Technologies and Kaspersky have told SecurityWeek that exploitation of some of these flaws could have serious consequences.
Vladimir Nazarov, head of ICS security at Positive Technologies, said exploitation of the vulnerabilities found by their researchers can allow an attacker to “cause a loss of observability on the process technology” (e.g. via DoS attacks), or send arbitrary commands to control field equipment, which could result in disruptions to power generation.
“By exploiting some of these vulnerabilities, an attacker could run arbitrary code on an application server, which is one of the key components of the SPPA-T3000 distributed control system,” Nazarov explained. “Attackers can thereby take control of operations and disrupt them. This could stop electrical generation and cause malfunctions at power plants where vulnerable systems are installed.”
Nazarov added, “As per the vulnerabilities in MS3000, that interacts directly with the controllers (all commands to controllers come out of the Application Server, go to MS3000 and then to the controllers). It means that the RCE on the MS3000 allows to interact with the controllers and cause almost the same things as described above.”
Kaspersky says it has heard speculation that exploitation of the vulnerabilities could result in physical impact on power generation infrastructure, but they could not confirm the possibility.
Both Kaspersky and Positive Technologies said that while some of the flaws they have found are easy to exploit, others require extensive knowledge of the targeted system. Kaspersky says attacks that impact safety or lead to power outages require more advanced knowledge of the targeted system.
Related: Vulnerability in ABB Plant Historian Disclosed 5 Years After Discovery
