OTPulse
FeedAboutContact

Siemens KTK, SIDOOR, SIMATIC, and SINAMICS (Update D)

Plan Patch7.5ICS-CERT ICSA-20-105-08Apr 14, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A TCP stack vulnerability in affected Siemens PROFINET devices allows remote attackers to cause denial-of-service by sending specially crafted packets that force expensive computational operations for each incoming packet. The vulnerability affects the availability of devices running affected versions of SIMATIC S7 CPUs (all families), ET 200 I/O modules and controllers, SINAMICS drives with PROFINET, SIDOOR devices, KTK terminals, and related communication modules. The attacker does not need authentication or special configuration—only network access to the device's Ethernet port. Siemens has released firmware updates for some products (S7-1200, S7-1500, S7-410, ET 200SP Open Controller, ET 200eco PN variants) but many older products (S7-300, most ET 200 variants, SINAMICS control units, SIDOOR, KTK) will not receive fixes due to end-of-life status. As a workaround for S7-410 devices, disabling the CPU's built-in Ethernet port and using a separate communication module is recommended.

What this means
What could happen
An attacker on your network can send specially crafted packets to PROFINET-connected Siemens controllers and I/O modules, forcing expensive CPU computations on each packet and causing the device to become unresponsive or stop processing plant logic. This is a denial-of-service attack that affects availability, not safety directly, but can halt production until the device recovers.
Who's at risk
Water utilities, power distribution systems, and transportation infrastructure that use Siemens PROFINET devices for process control. Specifically impacts operators running S7-300, S7-400, S7-410, S7-1200, S7-1500 PLCs, SINAMICS motor drives with PROFINET, SIDOOR devices, KTK terminal equipment, and distributed I/O modules (ET 200 series) that are networked via PROFINET. Any facility relying on these devices for real-time automation control is affected.
How it could be exploited
An attacker sends malformed TCP packets to the PROFINET port (typically port 502 or the Ethernet port) of a vulnerable Siemens PLC or I/O module. The underlying TCP stack processes each packet with expensive computation, consuming CPU resources. Repeated or continuous malformed packets exhaust CPU capacity, causing the device to become slow or unresponsive. No authentication or special configuration is required—the attacker just needs network access to the device's Ethernet port.
Prerequisites
  • Network access to the Ethernet port of the Siemens device (typically PROFINET port 502 or direct TCP access)
  • Device must be reachable from the attacker's network segment
  • No authentication or credentials required
Remotely exploitable via network accessNo authentication requiredLow complexity attackAffects availability (Denial of Service)Many products have no fix availableWidespread use in critical infrastructure
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (66)
15 with fix51 pending
ProductAffected VersionsFix Status
Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200All versionsNo fix yet
Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200PAll versionsNo fix yet
KTK ATE530SAll versionsNo fix yet
SIDOOR ATD430WAll versionsNo fix yet
SIDOOR ATE530S COATEDAll versionsNo fix yet
Remediation & Mitigation
0/12
Do now
0/1
WORKAROUNDDisable Ethernet ports on S7-410 CPU and use a separate communication module (like CP) for PROFINET communication instead
Schedule — requires maintenance window
0/8

Patching may require device reboot — plan for process interruption

SIMATIC S7-1500 Software Controller
HOTFIXUpdate SIMATIC S7-1500 Software Controller to v20.8 or later
All products
HOTFIXUpdate SIMATIC S7-1500 CPU family to v2.8 or later
HOTFIXUpdate SIMATIC S7-1200 CPU family to v4.5.2 or later
HOTFIXUpdate SIMATIC S7-410 V10 CPU family to v10.2 or later
HOTFIXUpdate SIMATIC S7-410 V8 CPU family to v8.3 or later
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC to v2.1.7 or later
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to v20.8 or later
HOTFIXUpdate SIMATIC ET 200eco PN variants (AI 8xRTD/TC, CM 4x/8x IO-Link, DI/DQ/DIQ M12-L) to v5.1.2 or v5.1.3 as applicable
Long-term hardening
0/3
HARDENINGImplement network segmentation: place all Siemens PROFINET devices on an isolated industrial network behind a firewall that restricts access to authorized engineering workstations and HMIs only
HARDENINGConfigure firewall rules to allow only known PROFINET traffic (port 502 and LLDP port 3829 if used) to and from authorized sources
HARDENINGDisable any direct internet-facing access to PROFINET networks; use VPN with strong authentication if remote access is required for maintenance
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/fec9f092-4938-4282-b630-64f769c04c6d