Siemens Industrial Products with OPC UA (Update H)

Plan PatchCVSS 7.5ICS-CERT ICSA-19-099-03Apr 9, 2019

SiemensManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Denial-of-service vulnerability in OPC UA implementations across multiple Siemens industrial products. A remote attacker can send a specially crafted OPC UA request to crash the OPC UA service on affected devices. The vulnerability affects controllers (S7-1500, ET 200SP), HMI panels (Comfort, KTP Mobile), CNC systems (SINUMERIK), supervisory software (WinCC OA, WinCC Runtime Advanced), networking products (SINEMA Server, SINEC NMS), and I/O devices (RF188C, RF600R). SIMATIC CP 443-1 OPC UA, SIMATIC NET PC Software V13 and V15 have no vendor fix available. Successful exploitation disrupts communications between control system components.

What this means

What could happen

An attacker with network access to an affected OPC UA service could cause a denial-of-service condition, disrupting communications between controllers, HMI panels, and engineering workstations and potentially halting supervisory monitoring or automated process control.

Who's at risk

Manufacturing facilities using Siemens industrial automation products should care, specifically those deploying SIMATIC S7-1500 CPUs, ET 200SP controllers, HMI panels (Comfort, KTP Mobile), SINUMERIK CNC systems with OPC UA, WinCC supervisory software, and distributed I/O devices (RF188C, RF600R). Any facility relying on OPC UA for inter-device communication or remote engineering access is affected.

How it could be exploited

An attacker sends a specially crafted OPC UA request over the network to an affected service or device. If the device is exposed to a network the attacker can reach (directly or through compromised intermediate systems), the malicious request crashes the OPC UA service, making it unavailable for legitimate operations.

Prerequisites

Network access to OPC UA service port (typically 4840 or custom port)
OPC UA service enabled on the device
No authentication required to trigger the denial-of-service condition

remotely exploitableno authentication requiredlow complexityaffects availability of supervisory and control communicationssome affected products have no patch available

Exploitability

Some exploitation risk — EPSS score 1.1%

Affected products (19)

16 with fix3 pending

ProductAffected VersionsFix Status

SIMATIC CP 443-1 OPC UAAll versionsNo fix yet

SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)< V2.72.7

SIMATIC HMI Comfort Outdoor Panels 7" & 15" (incl. SIPLUS variants)< V15.1 Upd 415.1 Upd4

SIMATIC HMI Comfort Panels 4" - 22" (incl. SIPLUS variants)< V15.1 Upd 415.1 Upd4

SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F< V15.1 Upd 415.1 Upd4

Remediation & Mitigation

0/20

Do now

0/1

WORKAROUNDDisable OPC UA service on devices where it is not required for operations

Schedule — requires maintenance window

0/15

Patching may require device reboot — plan for process interruption

Long-term hardening

0/4

HARDENINGImplement cell protection concept to isolate control system networks and limit inter-cell communication

HARDENINGUse VPN to protect network communication between cells and between remote access points

HARDENINGApply Defense-in-Depth strategy: use firewalls to restrict OPC UA port access, network segmentation, and access controls on engineering workstations

HARDENINGIsolate all control system networks from the business network and the Internet

CVEs (1)

CVE-2019-6575

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/eb390484-f84a-4244-9c50-128084ed278c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.