Siemens Fixes Critical Vulnerabilities in WinCC SCADA Products

Vulnerabilities Expose SCADA Systems to Remote Attacks

Siemens has released software updates to address two critical vulnerabilities in its SIMATIC WinCC supervisory control and data acquisition (SCADA) system, one of which could be exploited remotely by an unauthenticated attacker.

The German industrial products giant has also released software updates for WinCC, PCS 7 and TIA Portal products, and said that it is working on additional updates for other versions of the affected products.

SIMATIC WinCC is used to monitor and control physical processes involved in industry and infrastructure, and is often used in industries such as oil and gas, chemical, food and beverage, water and wastewater. PCS 7 is a distributed control system (DCS) integrating SIMATIC WinCC, and TIA Portal is the company’s engineering software used for SIMATIC products.

The first vulnerability (CVE-2014-8551) within WinCC is rated as critical, with a CVSS Base Score or 10.0. The flaw could allow remote code execution for unauthenticated users if specially crafted packets are sent to the WinCC server, according to the security advisory from Siemens ProductCERT published Nov. 21.

The second vulnerability (CVE-2014-8552), also a component within WinCC, could allow an unauthenticated attacker to extract arbitrary files from the WinCC server by sending specially crafted packets to the server. However, in order to exploit this flaw, the attacker must have network access to the affected system, Siemens said.

While Siemens prepares additional software updates, the company’s ProductCERT team suggests that customers mitigate the risk of their systems by implementing the following steps:

• Always run WinCC server and engineering stations within a trusted network

• Ensure that the WinCC server and the engineering stations communicate via encrypted channels only (e.g. activate feature “Encrypted Communications” in WinCC V7.3 (PCS 7 V8.1), or establish a VPN tunnel)

• Restrict access to the WinCC server to trusted entities

• Apply up-to-date application whitelisting software and virus scanners

Late last month, ICS-CERT warned of an ongoing attack campaign targeting industrial control systems, including WinCC products, that has been ongoing since at least 2011. The campaign is using a variant ofthe BlackEnergy malware. BlackEnergy has been linked to a number of attacks, including the recently disclosed activities of the Sandworm Team.

“ICS-CERT has determined that users of HMI products from various vendors have been targeted in this campaign, including GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC,” according to the advisory. “It is currently unknown whether other vendor’s products have also been targeted.”