Siemens SIMATIC, SINUMERIK, and PROFINET IO (Update D)

Monitor6.5ICS-CERT ICSA-18-079-02Mar 20, 2018

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Several Siemens industrial controllers are affected by improper input validation (CWE-20) in PROFINET DCP packet handling. An attacker with direct Layer 2 network access to the control network can send crafted PROFINET DCP packets to cause denial of service (PLC crash or reboot). PROFIBUS-only systems are not affected. Siemens has released firmware updates for most S7-1500, S7-400, S7-300, ET 200, CP 443-1, WinAC RTX, and SINUMERIK 828D products. For products without updates (CP 343-1, Softnet PROFINET IO), Siemens recommends network isolation using cell protection, VPNs, and defense-in-depth strategies.

What this means

What could happen

An attacker with direct Layer 2 network access could send crafted PROFINET DCP packets to cause a denial of service (crash or reboot) of affected Siemens PLCs and industrial controllers, interrupting manufacturing or process operations.

Who's at risk

Manufacturing plants using Siemens SIMATIC S7 series PLCs (S7-300, S7-400, S7-1500), S7-410, ET 200 distributed I/O modules, CP communication processors, SINUMERIK CNC controllers, and WinAC software controllers. This affects any facility with PROFINET-enabled control systems. Water authorities and electric utilities using these devices for process automation are in scope.

How it could be exploited

An attacker connected directly to the same network segment as the PLC (Layer 2 adjacent) sends malformed PROFINET DCP discovery packets. The PLC's network interface processes these packets without proper validation (CWE-20 improper input validation), causing the device to crash or reboot. PROFIBUS-only environments are not vulnerable.

Prerequisites

Direct Layer 2 network access to the same network segment as the affected PLC (not routable via IP)
PROFINET capability enabled on the device

Requires direct Layer 2 network access (not easily remote from Internet)Low complexity attack once network access is gainedNo authentication required to trigger the denial of serviceAffects availability and process continuity, not data confidentialityNo patch available for CP 343-1 and Softnet PROFINET IO products

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (44)

41 with fix3 pending

ProductAffected VersionsFix Status

SIMATIC CP 343-1 Advanced (incl. SIPLUS variants)All versionsNo fix yet

SIMATIC CP 443-1< V3.33.3

SIMATIC CP 443-1 Advanced< V3.33.3

SIMATIC ET 200pro IM154-8 PN/DP CPU< V3.2.163.2.16

SIMATIC ET 200pro IM154-8F PN/DP CPU< V3.2.163.2.16

Remediation & Mitigation

0/14

Do now

0/1

WORKAROUNDUse VPN for remote access between control system cells and business network segments

Schedule — requires maintenance window

0/10

Patching may require device reboot — plan for process interruption

Long-term hardening

0/3

HARDENINGRestrict Layer 2 network access to affected PLCs using network segmentation (separate VLANs, physical isolation of control network)

HARDENINGImplement cell protection concept: isolate control system network from corporate network using firewalls

HARDENINGApply defense-in-depth principle: layer multiple security controls (network segmentation, access lists, monitoring)

CVEs (1)

CVE-2018-4843

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close