Siemens SIMATIC HMI Panels
Monitor5.7ICS-CERT ICSA-20-196-04Jul 14, 2020
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Siemens SIMATIC HMI panels and WinCC Runtime Advanced do not encrypt program transfer traffic. An attacker positioned on the network between an engineering workstation and an HMI panel during a program transfer can passively capture unencrypted data, potentially exposing proprietary control logic, configuration data, and credentials. CWE-319 (Cleartext Transmission of Sensitive Information). All versions of affected products are vulnerable with no fix planned by the vendor.
What this means
What could happen
An attacker with access to the network between an engineering workstation and an HMI panel could capture unencrypted program transfer traffic and read sensitive information such as proprietary control logic, setpoints, or credentials. This could enable follow-up attacks to modify processes or gain unauthorized access to industrial equipment.
Who's at risk
Manufacturing facilities that operate Siemens HMI panels (SIMATIC Basic, Comfort, Mobile, Arctic variants, and WinCC Runtime Advanced). Anyone who performs program transfers to HMI devices—typically operations staff, maintenance technicians, and engineering contractors working on control system updates—should be aware that this communication is unencrypted and vulnerable to sniffing on shared networks.
How it could be exploited
An attacker positioned on the network segment between an engineering workstation and an HMI panel (e.g., via ARP spoofing, compromised switch port, or shared wireless network) can passively sniff traffic during program transfer operations. The attacker captures the unencrypted data stream containing the HMI program, which may include logic, configuration, and credentials.
Prerequisites
- Network access to traffic between engineering workstation and HMI panel (ARP spoofing, MITM, or shared network segment)
- HMI program transfer activity initiated (engineering workstation loading or updating panel firmware)
- No encryption enabled for program transfer communication
No patch available (all versions affected)Low attack complexity (passive sniffing)Affects engineering/operational data (potential information disclosure)Requires attacker to be on same network segment
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (6)
3 pending3 EOL
ProductAffected VersionsFix Status
SIMATIC HMI Basic Panels 1st Generation (incl.'SIPLUS variants): All versionsAll versionsNo fix yet
SIMATIC HMI Basic Panels 2nd Generation (incl.'SIPLUS variants): All versionsAll versionsNo fix yet
SIMATIC HMI Comfort Panels (incl.'SIPLUS variants): All versionsAll versionsNo fix yet
SIMATIC HMI Mobile Panels 2nd Generation: All versionsAll versionsNo fix (EOL)
SIMATIC WinCC Runtime Advanced: All versionsAll versionsNo fix (EOL)
SIMATIC HMI KTP700F Mobile Arctic: All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGConnect engineering workstations directly to HMI panels with a direct cable or isolated network segment; avoid routing program transfer traffic through switches, routers, or shared network infrastructure
WORKAROUNDDisable or restrict HMI program transfer operations over large or untrusted networks; schedule all updates on isolated, controlled network segments
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: SIMATIC HMI Mobile Panels 2nd Generation: All versions, SIMATIC WinCC Runtime Advanced: All versions, SIMATIC HMI KTP700F Mobile Arctic: All versions. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate HMI panels and engineering workstations from business networks and the Internet; use firewalls to control access
HARDENINGApply Siemens operational security guidelines and follow product manual recommendations for secure configuration of HMI devices
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/93da34ba-4878-4a33-bf64-fb6341a74e34