Siemens customers were informed about the security vulnerabilities in the company’s SIPROTEC protection relays that are exposed to denial-of-service also known as DoS attacks. The flaws were detected in the EN100 ethernet communication module and SIPROTEC 5 relays.
Siemens has already introduced updates and patches for some of the affected products. The company is currently working on upgrades for the rest of the products.
The EN100 Ethernet modules are used for enabling process communication on either IEC 61850, PROFINET IO, Modbus TCP, DNP3 TCP or IEC 104 protocols via electrical/optical 100 Mbit interfaces on SIPROTEC 4, SIPROTEC Compact and Reyrolle devices.
SIPROTEC 5 is a part of the intelligent digital field devices and provide electrical substations with several important functions, such as control, protection, measurement, and automation.
An independent group of security experts Scadax released the report about the security vulnerabilities. The researchers identified two DoS vulnerabilities in the EN100 module and SIPROTEC 5 relays. These flaws can be exploited by transferring packets to the addressed machine’s TCP port 102.
The security vulnerabilities can be exploited and cause the machine’s network functionality to insert a DoS status. According to Siemens, the exploitation of the flaws can compromise the device’s availability. In order to restore the impacted service, an intervention should be done manually.
In order to exploit the security vulnerabilities, attackers have to have access to the targeted company’s network and enable the IEC 61850-MMS communication.
Researchers noted that the flaws are similar. The CVE-2018-11451 vulnerability is rated as high severity and the other CVE-2018-11452 is classified as medium severity. According to Siemens, SIPROTEC 5 relays are only affected by the high severity flaw.
Security recommendations provided
As a general security measure, Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment.
According to security researchers and experts, DoS flaws are more difficult in industrial control systems rather than regular IT systems.
The exploitation of the Siemens’ SIPROTEC 5 relays are not just theoretical. Malicious actors behind the Industroyer ICS also referred to as Crashoverride malware have also designed a DoS tool which exploited CVE-2015-5374. This attack was linked to the attack on an electrical substation in Ukraine a couple years ago and the malware was discovered by ESET.