Update on Siemens S7 PLC Vulnerabilities

Malware like Stuxnet is not the reason for software vulnerabilities in Siemens S7-1200 programmable logic controllers. According to the automation company, a new firmware update fixes a weakness found in the communications function.

Automation supplier Siemens Industry Inc., in Alpharetta, Ga. has released a firmware update for its S7-1200 PLC that reportedly eliminates vulnerabilities and improves the security and robustness of the product family. In a statement released June 13, 2011, company spokesman Micheal Krampe said, “Despite recent news reports, Siemens latest software vulnerabilities are not caused by malware (like Stuxnet), but by a weakness in communication functions of its programmable logic controller (PLC) product, called S7-1200. The vulnerability was discovered by an NSS Labs researcher and resulted in an ICS-CERT security advisory.”

At this point, Siemens is not aware of any customers affected by the identified weak points found in its S7-1200 PLCs, said Krampe. “The company would like to emphasize that it is fully committed to maintaining the highest quality products with the most stringent security standards. Siemens experts have been working closely with ICS-CERT and various user communities to continuously improve the Siemens industrial controller products,” he added. 

Siemens continues to recommend to all its customers that they implement appropriate security measures, such as firewalls, secure switches and gateways to separate vulnerable computer hardware from the actual PLCs. The company provides additional security advice and recommendations at www.siemens.com/industrialsecurity.

As a further precaution, Krampe said Siemens controllers, including the S7-300/400 families, are being tested against the discovered vulnerability scenarios. “Today, Siemens can already exclude any vulnerability of the S7-300/400 against the ‘denial of service’ scenario,” he said. “Ongoing and extensive tests of further security scenarios are currently underway in our R&D labs. Depending on the results of those tests, the company will react accordingly. If any customers have concerns that an unauthorized person has been able to record an online communication between the engineering PC and the PLC, the company recommends an immediate change to the PLC password.”

To download the S7-1200 firmware update (which is available as of June 10, 2011) and to obtain more detailed information, visit: www.siemens.com/networkbehavior-S7-1200.

Renee Robbins Bassett, renee.bassett@automationworld.com

More in Control