Siemens Industrial Real-Time (IRT) Devices
Plan Patch7.5ICS-CERT ICSA-19-283-01Oct 8, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A flaw in PROFINET IRT (Industrial Real-Time) protocol handling in Siemens automation devices allows an attacker on the network to send traffic that causes the devices to drop real-time synchronization frames. This results in loss of time coordination across the automation system. The vulnerability resides in how affected devices process certain network traffic on port 161 (SNMP). Devices vulnerable include SIMATIC PLCs (S7-300, S7-400), ET 200 distributed I/O modules, SINAMICS motor drives, SINUMERIK machine controllers, SCALANCE switches, and PROFINET communication modules. Siemens has released firmware patches for many products but states that some older or end-of-life products will not receive fixes.
What this means
What could happen
An attacker on your network can flood PROFINET real-time devices with traffic to disrupt time synchronization, causing loss of coordinated operation in automation systems that depend on precise timing. This could halt production or cause unsafe equipment behavior if process synchronization is lost.
Who's at risk
Manufacturing and transportation facilities using Siemens PROFINET IRT (Industrial Real-Time) automation devices should be concerned. This includes SIMATIC S7-300 and S7-400 programmable logic controllers (PLCs), SIMATIC ET 200 I/O modules, SINAMICS motor control units, SINUMERIK machine control systems, SCALANCE X-200IRT managed switches, and PROFINET couplers. Any plant running time-dependent production processes—such as synchronized conveyor systems, coordinated motion control, or real-time sensor data acquisition—is at risk if these devices are in use.
How it could be exploited
An attacker sends malformed packets to port 161 (SNMP) on affected devices reachable from the network. The devices fail to properly handle the traffic, dropping real-time synchronization frames and losing IRT (Industrial Real-Time) timing, which stops time-dependent automation processes.
Prerequisites
- Network reachability to affected device on port 161/UDP (SNMP)
- Device must be connected to PROFINET network with IRT enabled
- No authentication required
Remotely exploitableNo authentication requiredLow complexityAffects real-time safety and timing synchronizationMany products have no patch availableDenial-of-service impact on production operations
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (88)
62 with fix26 pending
ProductAffected VersionsFix Status
Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller<V4.1.1 Patch 054.1.1 Patch 05
Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200<V4.5.0 Patch 014.5.0 Patch 01
Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P<V4.5.04.5.0
SCALANCE X-200IRT family (incl. SIPLUS NET variants)<V5.2.15.4.2
SIMATIC CP 1604 (6GK1160-4AA01)<V2.82.8
Remediation & Mitigation
0/23
Do now
0/3WORKAROUNDRestrict firewall access to port 161/UDP on all affected PROFINET IRT devices to only trusted engineering and management networks
WORKAROUNDDisable SNMP v1 and v2c on affected devices if the protocol is not required for operations; enable SNMP v3 if monitoring is needed
WORKAROUNDChange default SNMP community strings and enable access authentication on all affected devices that support it
Schedule — requires maintenance window
0/18Patching may require device reboot — plan for process interruption
SIMATIC WinAC RTX 2010
HOTFIXUpdate SIMATIC WinAC RTX 2010 and RTX F 2010 to SP3, and apply BIOS and Windows updates
SINAMICS G130
HOTFIXUpdate SINAMICS G130 and G150 Control Units to firmware 4.7 HF29
SINAMICS S150
HOTFIXUpdate SINAMICS S150 to firmware 4.7 HF29
SINAMICS DCM
HOTFIXUpdate SINAMICS DCM to firmware 1.5 HF1
SINAMICS DCP
HOTFIXUpdate SINAMICS DCP to firmware 1.3
SINUMERIK 828D
HOTFIXUpdate SINUMERIK 828D to firmware 4.8 SP5
SINUMERIK 840D sl
HOTFIXUpdate SINUMERIK 840D sl to firmware 4.8 SP5
All products
HOTFIXUpdate SIMATIC S7-300 CPUs to firmware version 3.2.17 or later (e.g., CPU 315-2 PN/DP, CPU 317-2 PN/DP, CPU 319-3 PN/DP)
HOTFIXUpdate SIMATIC S7-400 V7 CPUs to firmware version 7.0.3 or later (e.g., CPU 412-2 PN V7, CPU 414-3 PN/DP V7, CPU 416-3 PN/DP V7)
HOTFIXUpdate SIMATIC ET 200MP series to firmware version 4.2.0 (IM 155-5 PN HF) or 4.1.0 (IM 155-5 PN ST)
HOTFIXUpdate SIMATIC ET 200SP series to firmware version 4.2.0 (IM 155-6 PN HF) or 4.1.0 (IM 155-6 PN ST)
HOTFIXUpdate SIMATIC ET 200pro CPUs to firmware version 3.2.17 or later (IM 154-8 PN/DP and variants)
HOTFIXUpdate SIMATIC ET 200S CPUs to firmware version 3.2.17 or later (IM 151-8 PN/DP and IM 151-8F PN/DP)
HOTFIXUpdate SCALANCE X-200IRT to firmware version 5.4.2
HOTFIXUpdate SIMATIC CP 1604 and CP 1616 to firmware version 2.8
HOTFIXUpdate SINAMICS S120 Control Unit to firmware 4.7 HF34 or upgrade to 5.2 HF2
HOTFIXUpdate SINAMICS G120 Control Unit to firmware 4.7 SP10 HF5
HOTFIXUpdate SINAMICS G110M Control Unit to firmware 4.7 SP10 HF5
Long-term hardening
0/2HARDENINGImplement network segmentation to isolate PROFINET IRT devices from untrusted networks and the internet; place automation networks behind firewall boundaries
HARDENINGReview and apply Siemens Industrial Security operational guidelines for network architecture, firewall rules, and defense-in-depth strategies on all automation infrastructure
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e537a451-3ec6-40a3-b55c-bdbf22524091