Claroty reveals critical vulnerability in Siemens PLCs and TIA Portal

Claroty’s Team82 has announced that it has uncovered and disclosed to Siemens a new and innovative technique targeting SIMATIC S7-1200 and S7-1500 PLC CPUs that enabled its researchers to recover a global hardcoded cryptographic key (CVE-2022-38465) used by each Siemens affected product line. The key, if extracted by an attacker, would give them full control over every PLC per affected Siemens product line.

Background

Close to 10 years ago, Siemens introduced asymmetric cryptography into the integrated security architecture of its TIA Portal v12 and SIMATIC S7-1200/1500 PLC CPU firmware families. This was done to ensure the integrity and confidentiality of devices and user programs, as well as for the protection of device communication within industrial environments.

Dynamic key management and distribution did not exist then for industrial control systems, largely because of the operational burden key management systems would put on integrators and users. Siemens decided at the time instead to rely on fixed cryptographic keys to secure programming and communications between its PLCs and the TIA portal.

Since then, however, advances in technology, security research, and a swiftly changing threat landscape have rendered such hardcoded crypto keys an unacceptable risk. A malicious actor who is able to extract a global, hardcoded key, could compromise the entire device product line security in an irreparable way.

The vulnerability

Team82’s latest work — an extension of previous research conducted on Siemens SIMATIC S7-1200 and S7-1500 PLCs, as well as Rockwell Automation’s Logix controllers and Studio 5000 Logix Designer — continues the team’s research path into PLC security, working closely with leading vendors to eradicate such practices as hardcoded keys

Using a vulnerability uncovered in previous research (CVE-2020-15782) on Siemens PLCs that enabled researchers to bypass native memory protections on the PLC and gain read and write privileges in order to remotely execute code, Team82 was able to extract the internal and heavily guarded private key used across the Siemens product lines. This new knowledge allowed them to implement the full protocol stack, as well as encrypt/decrypt protected communication and configurations.

Siemens’ response to this private disclosure led to an overhaul of the cryptographic schemes protecting its flagship PLC lines, as well as its TIA Portal engineering workstation application. Siemens acknowledged in a security advisory that existing protections around its hardcoded key are no longer sufficient, and invested the resources and time necessary to introduce a dynamic public-key infrastructure (PKI) that eliminates the use of hardcoded keys.

Remediation

Siemens recommends users immediately update SIMATIC S7-1200 and S7-1500 PLCs and corresponding versions of the TIA Portal project to the latest versions. TIA Portal V17 and related CPU firmware versions include the new PKI system protecting confidential configuration data based on individual passwords per device and TLS-protected PG/PC and HMI communication, Siemens said in its advisory.

Image: ©iStockPhoto.com/Vertigo3d