Siemens SIMATIC PCS 7, SIMATIC WinCC, and SIMATIC NET PC (Update G)

Plan Patch7.5ICS-CERT ICSA-20-042-06Feb 11, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A Denial-of-Service vulnerability exists in the SIMATIC Communication Services (SCS) shared component used by SIMATIC PCS 7, SIMATIC WinCC, and SIMATIC NET PC when encrypted communication is enabled. An attacker with network access can send malformed packets to crash the affected software, rendering the engineering workstation or data server unresponsive. This vulnerability affects SIMATIC WinCC v7.3 and later, SIMATIC PCS 7 v8.1 and later, and SIMATIC NET PC v14 and later. Earlier versions without encrypted communication capability are not vulnerable. Siemens has released patches for several product versions but many versions (particularly v8.1 and v8.2 of OpenPCS 7, SIMATIC BATCH, and Route Control) have no fix planned. Installing a fixed version of any affected product on a system also removes the vulnerability for other products using the shared SCS component on that same system.

What this means

What could happen

An attacker with network access can crash SIMATIC PCS 7, WinCC, or NET PC software through a Denial-of-Service attack when encrypted communication is enabled, disrupting control system operations and supervisory monitoring.

Who's at risk

Water utilities, municipal electric systems, and other water/wastewater treatment operators using Siemens SIMATIC PCS 7 (supervisory control software), SIMATIC WinCC (human-machine interface), or SIMATIC NET PC (communication software) for process monitoring and engineering workstations. Any facility using these products with encrypted communication enabled is at risk.

How it could be exploited

An attacker sends specially crafted network packets to a system running affected SIMATIC software with encrypted communication enabled. The malformed packets trigger a crash in the SIMATIC Communication Services (SCS) shared component, causing the engineering workstation or data server to become unresponsive and unable to communicate with PLCs or field devices.

Prerequisites

Network access to affected SIMATIC system on port used for encrypted communication (typically port 102 or 443)
Encrypted communication must be enabled on the target system
SIMATIC PCS 7 v8.1 or later, SIMATIC WinCC v7.3 or later, or SIMATIC NET PC v14 or later must be installed

Remotely exploitable over networkAffects availability of control system operationsNo authentication requiredLow complexity attackMultiple product versions have no fix availableShared component vulnerability (SCS) affects multiple Siemens products simultaneously

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (22)

11 with fix11 pending

ProductAffected VersionsFix Status

OpenPCS 7 V8.1All versionsNo fix yet

OpenPCS 7 V8.2All versionsNo fix yet

OpenPCS 7 V9.0<V9.0 Upd3No fix yet

SIMATIC BATCH V8.1All versionsNo fix yet

SIMATIC BATCH V8.2<vers:/ V8.2 Upd128.2 Upd12

Remediation & Mitigation

0/14

Do now

0/2

WORKAROUNDRestrict network access to SIMATIC systems using firewall rules to allow only authorized engineering workstations and HMI servers

WORKAROUNDDisable encrypted communication if not operationally required and no patch is available for your version

Schedule — requires maintenance window

0/10

Patching may require device reboot — plan for process interruption

Long-term hardening

0/2

HARDENINGUse VPN for all communication between control system cells and zones to protect against network-based DoS attacks

HARDENINGSegment control system network from corporate network using air-gapped or firewall isolation

CVEs (1)

CVE-2019-19282

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close