Imagine a scenario where hackers can take control of your industrial control systems (ICS) and cause havoc on the power grid. They could shut down power plants, overload transformers, or trigger blackouts. This is not a science fiction plot, but a real possibility that could happen due to a critical vulnerability in some of Siemens’ ICS devices.
Siemens is one of the leading manufacturers of ICS devices, which are used to monitor and control processes in critical infrastructure sectors such as energy, water, and transportation. These devices are often connected to the internet or other networks, which makes them vulnerable to cyberattacks.
Recently, Siemens patched a critical vulnerability affecting some of its remote terminal units (RTUs), which are used to communicate between the control center and the field devices. This vulnerability could allow hackers to execute arbitrary code on the RTUs and disrupt the communication and operation of the ICS.
According to a report by SynSaber, Siemens was responsible for self-reporting 544 vulnerabilities in 2022, up from 230 in the previous year. This shows that Siemens is actively working on improving its product security, but also that its products are exposed to a high number of threats.
This article will provide you with some best practices and recommendations for protecting your ICS devices from these vulnerabilities, such as applying patches, limiting network access, using firewalls, and monitoring network traffic.
By following these steps, organizations can reduce the risk of falling victim to a cyberattack that could destabilize the ICS infrastructure.
Siemens Releases Patches for CVE-2023-28489
Siemens’ Sicam A8000 CP-8031 and CP-8050 products with CPCI85 firmware are affected by a remote code execution vulnerability (CVE-2023-28489) that could allow an unauthenticated attacker to compromise the ICS devices.
Siemens has released patches for the affected firmware versions and advised its customers to apply them as soon as possible. In addition, Siemens has provided some mitigations to reduce the risk of exploitation. For example, one of the mitigations is to limit access to the web server on TCP ports 80 and 443 using a firewall.
However, the Siemens RTU vulnerability is not the only threat that could affect organizations’ ICS devices. In fact, nearly 1,000 critical and high-severity vulnerabilities have been found in various ICS equipment and components that come from different sectors. Kaspersky ICS CERT’s report also stated that 40.6% of ICS computers were attacked by malicious objects in 2022.
To protect ICS devices from these vulnerabilities and prevent hackers from exploiting them, organizations should follow some best practices and recommendations:
Patches are updates that fix bugs or vulnerabilities in software or firmware. They play a vital role in keeping ICS devices up-to-date and secure. It’s crucial to apply the latest patches for ICS devices as soon as they become available from vendors or manufacturers.
However, patching ICS devices can be challenging or risky, as it may require downtime, testing, or backup.
To minimize potential issues, plan and schedule your patching activities carefully. Follow the vendors’ or manufacturers’ instructions and guidelines to ensure a smooth and secure patching process. By doing so, organizations can maintain the integrity and security of their ICS devices.
Limiting network access
Network access is the ability to connect to or communicate with a device or a network. It should be restricted to authorized users or devices only, as unauthorized access could lead to data theft, manipulation, or sabotage.
Organizations can limit network access by implementing network segmentation and isolation. This involves dividing critical networks into smaller, separate segments or zones based on their functions or security levels. For example, isolate your ICS devices from the internet or other non-essential networks.
Routers, switches, or gateways are also some of the best methods to control the traffic between the segments or zones and block any unwanted or suspicious connections.
Limiting network access alone may not be enough to protect ICS devices from external or internal threats. Firewalls are devices or software that filter and regulate network traffic based on predefined rules or policies. They are vital for protecting ICS devices from external or internal threats, as they can block or allow specific types of traffic based on their source, destination, protocol, port, or content.
Utilizing firewalls to create a secure perimeter around ICS devices is essential in preventing unauthorized or malicious access. The firewalls should also be maintained and updated regularly according to the changing network conditions or security requirements.
Monitoring network traffic
In addition to using firewalls, organizations should also monitor and analyze network traffic to detect any anomalies or signs of compromise, such as unusual patterns, spikes, drops, or deviations.
Tools or services that provide network visibility and anomaly detection can be used for this purpose. They can collect, store, process, and display network traffic data and alert organizations of any abnormal or suspicious activities.
For instance, consider employing Network Intrusion Detection Systems (NIDS), which are devices or software that monitor network traffic for malicious or unauthorized actions, such as attacks, scans, probes, or exploits. Additionally, Network Performance Monitoring (NPM) tools can be utilized; these devices or software measure and report the performance of network traffic, including aspects such as speed, latency, throughput, or availability.
The Siemens RTU vulnerability serves as a case study illustrating the security risks that can affect ICS devices in critical infrastructure environments.
To protect ICS devices from vulnerabilities, regardless of industry sector, apply patches and updates, limit network access, utilize firewalls, and monitor network traffic. Following these best practices ensures the stability and security of the ICS infrastructure, safeguarding against blackouts, equipment damage, or harm to employees and customers.