Security company Tenable found a new vulnerability (CVE-2019-10915) in the Siemens software platform TIA Portal, which is used to maintain industrial control systems for large critical infrastructure such as nuclear power plants. The researchers said that the vulnerability has not been exploited in the wild, and Siemens has released a patch.
Researchers say the attacker can exploit the vulnerability for cyber espionage, map the network, destroy and leak data, and modify system code and logic. A remote attacker can bypass HTTP authentication and access all administrator functions by sending a WebSocket command directly to the server.
Once inside the network, an attacker can perform management operations on a vulnerable system and add malicious code to adjacent industrial control systems within the facility. Attackers can also exploit vulnerabilities to collect data in order to plan for other targeted attacks. Traditional methods of protecting industrial control systems, such as air-gap segmented networks or firewalls, may not prevent hackers from exploiting vulnerabilities.
Researchers say that the general vulnerabilities exist in more outdated systems, but the vulnerability was discovered in the modern software platform that Siemens regularly patches. In addition, the Siemens equipment affected by the Stuxnet malware attacking Iran’s nuclear facilities ten years ago is the same as the equipment affected by the vulnerability, so the researchers speculated that the vulnerability discovered was related to Stuxnet.
“There are several barriers to a successful attack on a PWR nuclear power plant. Foremost in the attack is the difficulty of the jump to an air-gapped network. This capability has been demonstrated several times in national level campaigns such as Duqu and Stuxnet using USB propagation. Additionally, modifying core control and emergency safety shutdown programmable logic in an active control network is a matter of preference. Stuxnet demonstrated a wrapped TCP library to modify communication from control servers to hardware. TRISIS demonstrated full PLC logic replacement as a means of subverting control and operational telemetry reporting.”