Serious vulnerabilities detected in Siemens power substation control systems

Positive Technologies company specialists Ilya Karpov and Dmitry Sklyarov revealed vulnerabilities in the Siemens SICAM PAS (Power Automation System) software designed to build an automated process control system in the power industry. This software is used at substations of various voltage classes in Russia, European countries and other continents.

What is the problem

Vulnerabilities are associated with the unreliable storage of passwords and the disclosure of sensitive information. The greatest danger is the safety error CVE-2016-8567, which was rated 9.8 on a 10-point scale CVSSv3, which corresponds to a high level of danger. Attackers can remotely gain privileged access to the SICAM PAS database using standard remote configuration via TCP port 2638 and hard-coded passwords in factory accounts.

')

The second, detected by Positive Technologies vulnerability CVE-2016-8566 with a rating of 7.8, allows finding out user accounts and recovering passwords to them (after gaining access to the SICAM PAS database). The reason is weak password hashing algorithms.



According to Ilya Karpov, head of the research and audit department at Positive Technologies industrial control systems, the critical level of danger of these vulnerabilities is due to the ability to remotely reconfigure SICAM PAS at an energy facility, block the operation of a dispatch system, or cause various accidents, including system ones.

How to protect

The manufacturer confirmed the presence of gaps and issued recommendations for their elimination. To eliminate these vulnerabilities, the manufacturer recommends upgrading SICAM PAS to version 8.0. It is also necessary to block access to ports 19235 / TCP and 19234 / TCP using, for example, Windows Firewall, which will allow closing the other two gaps described in the security bulletin before issuing additional patches.



This is not the first collaboration of the two companies in 2016. In the summer, Siemens announced two vulnerabilities CVE-2016-5848 and CVE-2016-5849, also discovered by Ilya Karpov and Dmitry Sklyarov. These vulnerabilities have a low risk because they cannot be used remotely (rated 2.5 on the CVSSv3 scale). To eliminate them, you need to update SICAM PAS to version 8.08.



In October 2016, Siemens also published information about two vulnerabilities (CVE-2016-7959 and CVE-2016-7960) in the SIMATIC STEP 7 integrated software development environment (TIA Portal), found by Positive Technologies application analysis department head Dmitry Sklyarov. In particular, an attacker, having local access to SIMATIC STEP 7 and TIA Portal projects, can parse an algorithm to hide password hashes and find out the used passwords in a project for a Simatic S7 PLC.



Over the past four years, experts from Positive Technologies have discovered and helped eliminate more than 200 zero-day vulnerabilities in process control systems and SCADA systems from Emerson, Honeywell, Schneider Electric, Siemens, Yokogawa and other companies. In 2016, Positive Technologies unveiled PT ISIM , a cybersecurity incident management system for the automated process control system, which identifies hacker attacks and helps in investigating incidents at critical facilities.