The US Computer Emergency Response Team (CERT) has issued advisory ICSA-16-161-02, which is warning of “weakly protected” credentials in Siemens SIMATIC WinCC flexible industrial control system.
Due to this weak protection, any data it sends over the network could be listened to and decrypted.
According to CERT, Gleb Gritsai and Roman Ilin from Positive Technologies reported this issue directly to Siemens, and fortunately Siemens has already produced an update to mitigate this vulnerability.
The advisory reads, “Attackers capturing network traffic of the remote management module could possibly reconstruct user credentials.The remote management module of SIMATIC WinCC flexible panels and SIMATIC WinCC flexible runtime transmits weakly protected credentials over the network. Attackers capturing network traffic of the remote management module could possibly reconstruct the credentials.”
CERT have said that Impact to individual organisations depends on many factors that are unique to each organisation.
However it advised that companies should protect network access to devices running SIMATIC WinCC flexible with appropriate mechanisms, and configure the environment according to Siemens operational guidelines in order to run the devices in a protected IT environment.
Other defensive measures advised by CERT to minimise the risk of exploitation of these vulnerabilities include:
● Minimise network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
● Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
● When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognising that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognise that VPN is only as secure as the connected devices.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).
CERT says organisations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.