Siemens SINUMERIK ONE and SINUMERIK MC
Plan PatchCVSS 9.3ICS-CERT ICSA-22-314-04Oct 11, 2022
SiemensManufacturing
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SINUMERIK ONE and SINUMERIK MC products contain a weak key protection vulnerability in the integrated S7-1500 CPU that could allow an attacker with local or physical access to extract cryptographic keys protecting communication between the S7-1500 CPU and the HMI. The vulnerability is documented in detail in Siemens security advisory SSA-568427.
What this means
What could happen
An attacker with local access to the SINUMERIK controller or memory card could extract cryptographic keys used to protect communication between the S7-1500 CPU and the HMI, potentially allowing them to impersonate legitimate controllers or alter machine control commands without being detected.
Who's at risk
Manufacturing facilities using Siemens SINUMERIK CNC machine controllers (SINUMERIK MC and SINUMERIK ONE) should be concerned. This affects machine tool control systems that depend on secure HMI-to-controller communication for safe and authorized operation.
How it could be exploited
An attacker must physically access the SINUMERIK NCU (control unit) or its memory cards, or gain local access to the integrated S7-1500 CPU hardware. Once local access is obtained, they can exploit weak key protection mechanisms to extract cryptographic keys that secure HMI-to-controller communication. These keys could then be used to forge or intercept control commands.
Prerequisites
- Physical or local access to the SINUMERIK controller hardware or memory cards
- Knowledge of the weak key protection mechanism in the S7-1500 CPU
- Access to extract or read protected memory regions
weak cryptographic key protectionaffects machine control systemsrequires physical or local access to exploitkey protection documented in related advisory SSA-568427
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (9)
8 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC S7-1200 CPU family (incl. SIPLUS variants)< V4.5.04.5.0
SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants)< V2.9.22.9.2
SIMATIC S7-1500 Software Controller< V21.921.9
SIMATIC S7-PLCSIM Advanced< V4.04.0
SIMATIC Drive Controller family< V2.9.22.9.2
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)< V21.921.9
SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants)All versionsNo fix (EOL)
SINUMERIK MC<V6.216.21
Remediation & Mitigation
0/6
Do now
0/3WORKAROUNDRestrict network access to S7-1500 CPU and HMI communication to trusted network segments only; do not expose to the Internet
HARDENINGImplement physical security controls to prevent unauthorized access to SINUMERIK NCU and memory cards
HARDENINGProtect TIA Portal project files and SINUMERIK NCU hardware from unauthorized actors through access controls
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
SINUMERIK MC
HOTFIXUpdate SINUMERIK MC to version 6.21 or later
SINUMERIK ONE
HOTFIXUpdate SINUMERIK ONE to version 6.21 or later
Mitigations - no patch available
0/1SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment industrial control networks from business networks using firewalls
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b0f1a932-9de8-472f-8433-014fc1ddcddbGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.