Siemens PROFINET DCP (Update V)

MonitorCVSS 6.5ICS-CERT ICSA-17-129-02May 8, 2017

SiemensManufacturingTransportation

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens PROFINET devices are vulnerable to denial of service attacks via specially crafted PROFINET DCP (Discovery and Configuration Protocol) Layer 2 packets. An attacker with access to the local Ethernet segment can send malformed DCP packets to cause affected devices to become unresponsive or crash. The vulnerability affects a wide range of Siemens industrial devices including PLCs (S7-1200, S7-1500, S7-300, S7-400), I/O modules (ET 200 series), network devices (SCALANCE switches), communication processors (CP modules), variable frequency drives (SINAMICS), and automation controllers. PROFIBUS interfaces are not affected.

What this means

What could happen

A denial of service attack on PROFINET devices could cause industrial controllers, I/O modules, or network devices to stop responding, interrupting automation processes and potentially halting production. Affected devices may require manual restart to recover.

Who's at risk

Manufacturing and transportation sectors using Siemens PROFINET devices should assess exposure. Primary concerns are: (1) PLCs and automation controllers (S7-1200, S7-1500, S7-300, S7-400 families) that control production processes; (2) I/O modules and interface devices (ET 200 series, CP communication processors) that manage sensor/actuator data; (3) Industrial switches (SCALANCE X/W/XM/XR families, M-800) that connect PROFINET networks; (4) Variable frequency drives (SINAMICS G/S/DCM/DCP series) that control motors; (5) HMI panels and automation software that manage process control; (6) Specialized equipment like CNC controllers (SINUMERIK 828D, 840D sl) and motor starters (SIRIUS). Any facility with PROFINET-based automation is potentially at risk if devices have not been patched.

How it could be exploited

An attacker on the same local Ethernet segment (Layer 2 network) sends crafted PROFINET DCP packets to a vulnerable device. The device fails to properly validate or process the packets, causing a denial of service condition where the device becomes unresponsive or reboots.

Prerequisites

Direct Layer 2 network access to the local Ethernet segment where the device is connected
No authentication required

No authentication requiredLow complexity attackRequires Layer 2 network access (less common than remote access but easier in industrial environments)Large number of affected productsMany products with no fix availableAffects critical automation infrastructure

Exploitability

Some exploitation risk — EPSS score 2.3%

Affected products (124)

90 with fix34 pending

ProductAffected VersionsFix Status

SIMATIC ET200ecoPN, 8DO, DC24V/1,3A, 8xM12All versionsNo fix yet

SIMATIC ET200ecoPN: IO-Link MasterAll versionsNo fix yet

SIMATIC ET200S (incl. SIPLUS variants)All versionsNo fix yet

Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller<V4.1.1 Patch044.1.1 Patch04 or newer

Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200<V4.2.1 Patch034.2.1 Patch03 or newer

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDFor products with no fix available (ET 200ecoPN series, ET 200pro, ET 200SP IM155-6 PN BA, and others), implement compensating controls: isolate affected devices on protected PROFINET segments, monitor network traffic for anomalous DCP packets, and restrict physical port access.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate affected PROFINET devices to patched firmware versions as listed in the vendor advisory. Prioritize PLCs, switches, and communication processors first.

Long-term hardening

0/3

HARDENINGImplement network segmentation to restrict Layer 2 access: place PROFINET devices on isolated network segments, restrict physical Ethernet port access, and prevent direct connections from untrusted networks or wireless access.

HARDENINGPlan lifecycle replacement of end-of-life products (Teleservice Adapters IE series) with current SCALANCE M-800 family equipment as part of long-term IT refresh.

HARDENINGDocument which PROFINET devices in your facility have firmware updates available versus which do not, and maintain an inventory of firmware versions currently deployed.

CVEs (2)

CVE-2017-2681 CVE-2017-2680

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/af62bcdb-74ab-4890-92b0-224b7e6718c7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.