Siemens SIMATIC Software Products (Update B)

Plan Patch7.3ICS-CERT ICSA-21-194-06Jul 13, 2021

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple SIMATIC software products contain a vulnerability in how they manage configuration metafiles. An attacker with local access to an engineering workstation could modify these files to change device parameters or operational behavior. The affected products are SIMATIC PCS 7, SIMATIC PDM, SIMATIC STEP 7, and SINAMICS STARTER. Siemens has released updates for most products but notes that SIMATIC PCS 7 V8.2 and earlier versions have no fix available. The vulnerability is not remotely exploitable and requires local filesystem access to the engineering workstation.

What this means

What could happen

An attacker with local access to an engineering workstation could modify configuration files used by SIMATIC software, allowing them to alter device parameters or process behavior without authorization. This could disrupt plant operations or cause unintended control system actions.

Who's at risk

This vulnerability affects plant engineers and operators using Siemens SIMATIC software products for PLC configuration and device management. It impacts any organization running SIMATIC PCS 7, SIMATIC PDM, SIMATIC STEP 7, or SINAMICS STARTER in manufacturing, water/wastewater, power generation, or any industrial automation environment. Particular risk exists at sites where engineering workstations are shared or accessible to multiple users.

How it could be exploited

An attacker must first gain local access to a SIMATIC engineering workstation where affected software is installed. They then modify metafiles (configuration data) stored on disk to change device parameters or operational settings. When those files are deployed to field devices, the unauthorized changes take effect, potentially altering process setpoints or stopping operations.

Prerequisites

Local access to an engineering workstation running affected SIMATIC software
Write access to configuration files or metafiles on the workstation
Knowledge of which parameters to modify for intended effect

Local access required (reduces risk but increases insider threat)Low complexity attack once access is gainedAffects configuration of safety-critical systemsSIMATIC PCS 7 V8.2 and earlier have no fix availableCould enable unauthorized process parameter modification

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (5)

4 with fix1 EOL

ProductAffected VersionsFix Status

SIMATIC PCS 7 V9.X<V9.1 SP29.1 SP2

SIMATIC PDM<V9.2 SP29.2 SP2

SIMATIC STEP 7 V5.X<V5.75.7

SINAMICS STARTER (containing STEP 7 OEM version)<V5.4 SP2 HF15.4 SP2 HF1

SIMATIC PCS 7 V8.2 and earlierAll versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/2

HARDENINGRestrict physical and remote access to engineering workstations to trusted users only

HARDENINGImplement access controls ensuring only authorized personnel can modify configuration files and metafiles

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

SIMATIC PCS 7 V9.X

HOTFIXUpdate SIMATIC PCS 7 V9.X to version 9.1 SP2 or later

SIMATIC PDM

HOTFIXUpdate SIMATIC PDM to version 9.2 SP2 or later

SIMATIC STEP 7 V5.X

HOTFIXUpdate SIMATIC STEP 7 v5.X to version 5.7 or later

All products

HOTFIXUpdate SINAMICS STARTER to version 5.4 SP2 HF1 or later

Mitigations - no patch available

0/1

SIMATIC PCS 7 V8.2 and earlier has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate engineering workstations and SIMATIC software systems from business networks using firewalls and network segmentation

CVEs (1)

CVE-2021-31894

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b4ee6354-958f-4482-9c20-347d598b742e