Siemens SIMATIC PCS 7, SIMATIC WinCC, SIMATIC WinCC Runtime Professional, and SIMATIC NET PC Software (Update G)

Plan Patch7.5ICS-CERT ICSA-18-088-03Mar 27, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability exists in SIMATIC PCS 7, SIMATIC WinCC, SIMATIC WinCC Runtime Professional, SIMATIC NET PC Software, SIMATIC Route Control, and SIMATIC BATCH. The vulnerability allows an attacker to send crafted network packets that cause affected stations to stop responding. This impacts the availability and monitoring of industrial processes. Siemens has released updates for several affected products, with fixes available for SIMATIC PCS 7 v8.2 SP1, v9.0 SP1; WinCC Runtime Professional v13 SP2 Upd2, v14 SP1 Upd5; WinCC v7.2 Upd15, v7.3 Upd16, v7.4 SP1 Upd4; SIMATIC NET PC Software v14 SP1 Update 14, v15 SP1; OpenPCS 7 v8.1 Upd5, v9.0 Upd1; and SIMATIC BATCH v8.0 SP1 Upd21, v8.1 SP1 Upd16, v8.2 Upd10. Many older product versions (PCS 7 v7.1–v8.1, WinCC v7.2–v7.3, Route Control all versions, BATCH v9.0 SP1, and others) are end-of-life or have no planned fixes. For these versions, Siemens recommends enabling encrypted communication (available in WinCC v7.3+ and PCS 7 v8.1+), implementing cell protection, using VPN, and applying defense-in-depth network segmentation strategies.

What this means

What could happen

An attacker could send crafted network packets to a SIMATIC station to cause it to stop responding, disrupting your process monitoring and automation control. This affects the availability of your SCADA/HMI system during operations.

Who's at risk

Water and electric utilities running Siemens SIMATIC control systems are affected. This includes anyone using SIMATIC PCS 7 (process control), SIMATIC WinCC (human-machine interfaces/SCADA), SIMATIC Route Control (batch/recipe systems), SIMATIC BATCH (batch process automation), OpenPCS 7 (open-source variant), or SIMATIC NET PC Software (network configuration) at versions noted in the advisory. The vulnerability affects both the central engineering/HMI servers and distributed plant stations.

How it could be exploited

An attacker with network access to SIMATIC WinCC, PCS 7, or NET PC stations can send malicious packets that trigger a denial-of-service condition. No credentials or special interaction is required; the attack can be conducted remotely if the station is reachable from the network.

Prerequisites

Network access to SIMATIC stations on port(s) used by SIMATIC communication (typically S7 protocol ports 102, 443, or proprietary WinCC ports)
No authentication credentials required
Target must be running one of the affected SIMATIC product versions

Remotely exploitableNo authentication requiredLow complexity attackHigh availability impact on control systemsMany affected product versions lack fixesAffects operational control systems (PCS 7, WinCC)

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (27)

7 with fix20 pending

ProductAffected VersionsFix Status

OpenPCS 7 V7.1 and earlierAll versionsNo fix yet

OpenPCS 7 V8.0All versionsNo fix yet

OpenPCS 7 V8.1<V8.1 Upd5No fix yet

SIMATIC NET PC Software V15<15 SP115 SP1

SIMATIC PCS 7 V7.1 and earlierAll versionsNo fix yet

Remediation & Mitigation

0/18

Do now

0/1

SIMATIC PCS 7 V8.1

WORKAROUNDEnable encrypted communication in SIMATIC WinCC v7.3 or newer and SIMATIC PCS 7 v8.1 or newer to completely mitigate the vulnerability

Schedule — requires maintenance window

0/14

Patching may require device reboot — plan for process interruption

Long-term hardening

0/3

HARDENINGImplement cell protection concept to isolate critical SIMATIC stations

HARDENINGDeploy VPN to protect network communication between engineering workstations and plant cells

HARDENINGImplement network segmentation and defense-in-depth strategies; restrict network access to SIMATIC stations from untrusted networks

CVEs (1)

CVE-2018-4832

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close