From Mike Krampe at Siemens Industry.
Siemens Statement Regarding Potential Password Security Weakness in SIMATIC Controllers -- Status July 5, 2011
Siemens announced today it has identified a potential security weakness in the programming and configuration client software authentication mechanism employed by its SIMATIC S7 family of programmable controllers, including the S7-200, S7-1200, S7-300 and S7-400.
The potential exists for an attacker with access to the product or the control system communication link, to intercept and decipher the product's password and potentially make unauthorized changes to the product's operation.
Potential threat scenarios could include unauthorized attempts by wiretapping and manipulation to decipher product passwords. This requires circumvention of the usual industrial security measures and an unrestricted access to the automation network.
For this reason, Siemens, after consultation with the responsible authorities, has published safety guidelines, which operators of industrial plants can follow to minimize the risk of external intervention from the start. Recommended measures include limiting physical and electronic access to the automation products, implementation of multi-level security concepts by establishing safe production islands, setting up and monitoring of firewalls, as well as regularly changing passwords.
This purely preventive measure of providing users of Siemens products with information is designed to minimize the risk of third-party interference in the first place. The company is not aware of any incidents in this context involving attacks on industrial plants, and consequently no manipulation or damage has occurred to our knowledge.
Siemens automation products provide a high degree of resilience and security while providing the functionality envisaged. For automation processes, communication functions and the exchange of data between the individual production steps are of fundamental importance. This is achieved by implementing secure production islands and it is therefore not necessary to equip each individual automation product within them (programmable controller, drive, pump, motor, sensor) with IT security functions such as firewalls.
