OTPulse
FeedAboutContact

Siemens SIMATIC Products (Update C)

Low Risk3.7ICS-CERT ICSA-19-344-04Dec 10, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

A message integrity protection bypass in SIMATIC products allows an attacker in a Man-in-the-Middle position to modify network traffic on port 102/tcp exchanged with PLCs of the SIMATIC S7-1200, SIMATIC S7-1500, and SIMATIC SoftwareController CPU families. Affected products include SIMATIC CP 1626, HMI Panel variants, SIMATIC NET PC Software, SIMATIC STEP 7 (TIA Portal), SIMATIC WinCC variants, SIMATIC WinCC OA, SIMATIC WinCC Runtime Advanced/Professional, and TIM 1531 IRC.

What this means
What could happen
An attacker positioned on the network path between an engineering workstation and a PLC could intercept and modify S7 protocol messages, potentially altering process parameters, setpoints, or control logic without detection. This could cause unintended equipment operation, process shutdowns, or unsafe conditions.
Who's at risk
Manufacturing and transportation organizations using Siemens SIMATIC automation systems should prioritize this vulnerability. Specifically: engineering/control system teams managing SIMATIC S7-1200 and S7-1500 PLCs, WinCC SCADA/HMI systems, TIA Portal engineering environments, and TIM industrial routers. Organizations with networked PLCs and remote engineering workstations face higher risk due to the Man-in-the-Middle attack vector.
How it could be exploited
The attacker must be located on the network path (Man-in-the-Middle position) between an engineering workstation and a PLC, listening on port 102/tcp. The attacker intercepts S7 protocol messages and modifies them before forwarding to the PLC. No credentials or special interaction is required—the traffic is vulnerable to modification in transit.
Prerequisites
  • Network path visibility between engineering workstation and PLC (Man-in-the-Middle position)
  • Access to port 102/tcp on the network
  • No authentication or credentials required for interception or modification
remotely exploitableno authentication requiredlow complexityaffects industrial automation and control systemsno patch available for several product variants
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (10)
7 with fix3 EOL
ProductAffected VersionsFix Status
SIMATIC NET PC Software V14<V14 SP1 Update 1414 SP1 Update 14
SIMATIC CP 1626All versionsNo fix (EOL)
SIMATIC HMI Panel (incl. SIPLUS variants)All versionsNo fix (EOL)
SIMATIC STEP 7 (TIA Portal)<V1616
SIMATIC WinCC (TIA Portal)<V1616
SIMATIC WinCC OA<V3.16 P0133.16 P013
SIMATIC WinCC Runtime Advanced<V1616
SIMATIC WinCC Runtime Professional<V1616
Remediation & Mitigation
0/10
Do now
0/2
HARDENINGImplement network segmentation and access controls to restrict traffic to port 102/tcp to authorized engineering workstations only
HARDENINGImplement physical access controls to areas containing control system devices to reduce Man-in-the-Middle attack surface
Schedule — requires maintenance window
0/7

Patching may require device reboot — plan for process interruption

SIMATIC WinCC Runtime Advanced
HOTFIXUpdate SIMATIC WinCC Runtime Advanced to version 16 or later
SIMATIC WinCC Runtime Professional
HOTFIXUpdate SIMATIC WinCC Runtime Professional to version 16 or later
SIMATIC NET PC Software V14
HOTFIXUpdate SIMATIC NET PC Software v14 to 14 SP1 Update 14 or later
SIMATIC STEP 7 (TIA Portal)
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) to version 16 or later
HOTFIXUpdate SIMATIC WinCC (TIA Portal) to version 16 or later
SIMATIC WinCC OA
HOTFIXUpdate SIMATIC WinCC OA to version 3.16 patch 13 or later
TIM 1531 IRC (incl. SIPLUS NET variants)
HOTFIXUpdate TIM 1531 IRC (incl. SIPLUS NET variants) to version 2.1 or later
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: SIMATIC CP 1626, SIMATIC HMI Panel (incl. SIPLUS variants), SIMATIC NET PC Software V15. Apply the following compensating controls:
HARDENINGApply defense-in-depth security measures per Siemens Operational Guidelines for Industrial Security
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/705ac878-336b-4f34-9174-6413ee663398