Imagine you’re a secret agent, and you’ve just discovered that the bad guys have a copy of your secrets decoder ring. Not such great news, right? That’s basically what happened to Siemens late last year. A bunch of hackers managed to get their hands on the global private keys for some of Siemens’ industrial devices – and that was quite bad PR, to say the least. If you’re wondering what a private key is, think of it as the secret handshake that lets your devices know you’re one of the good guys.
Source: Siemens
This incident has sent shockwaves through the cybersecurity world, and today, we will take a closer look at what happened.
Taking a closer look
Siemens is a household name when it comes to industrial automation. You probably use one of their home appliances like a washing machine, refrigerator, or dishwasher. However, their primary focus is to manufacture industrial equipment. Their Programmable Logic Controllers (PLCs) are used in various industries worldwide. However, a recent discovery by cybersecurity firm Claroty has put Siemens in the spotlight for all the wrong reasons.
Researchers at Claroty found a vulnerability (dubbed CVE-2022-38465) in Siemens’ SIMATIC S7-1500 PLCs. This vulnerability could allow threat actors to extract global private keys, install malicious firmware, and potentially take full control of these industrial devices. Well, let’s just say it’s like a secret entrance to the Batcave.
According to their claim, the researchers at Claroty extracted the private encryption keys by leveraging a previous vulnerability, CVE-2020-15782, to bypass native memory protections, gain read and write privileges in protected areas and perform remote code execution.
“This new knowledge allowed us to implement the full protocol stack, encrypt and decrypt protected communication, and configurations.” – Claroty
Even more recently, researchers at Red Balloon Security claimed they had discovered multiple architectural vulnerabilities in the same PLCs, and these issues are tracked as CVE-2022-38773. More than 100 models of S7-1500 PLCs are susceptible to this flaw. A successful exploit could give the threat actor the ability to persistently execute malicious code and gain total control of the devices without raising any red flags. Yikes.
What Siemens has to say
The vulnerability stems from a basic error in how the cryptography is implemented. Siemens can’t fix it through a software patch because the scheme is physically burned onto a dedicated physical secure element chip known as the ATECC108A CryptoAuthentication coprocessor. As a result, Siemens says it has no fix planned for any of the 100+ S7-1500 PLC models that the company, too, lists as being vulnerable.
To be fair, they opted to hardcode the credentials to save users and integrators from the complexities of key management systems, which did not exist at the time for industrial systems. However, times change, and the ever-growing threat landscape makes the practice unsafe, posing an unacceptable risk.
The gravity of this situation can’t be underplayed. A threat actor with enough information and willpower could leverage the hardcoded encryption keys to bypass all protection levels and perform sophisticated attacks on any industrial device that uses these PLCs. This exploit is invaluable for nation-state attackers interested in cyber warfare against adversaries’ critical infrastructure.
Industrial cybersecurity and secrets management
This incident is a wake-up call not only for Siemens but for the industrial sector as a whole. As our systems become increasingly digital and interconnected, the need for robust secrets management is more critical than ever.
Source: Unsplash
In the future, we can expect secrets management to take center stage in industrial cybersecurity, and we need to lead the charge. We need solutions that address the unique challenges of this field, and the only obvious answer here is monitoring secrets and identifying unusual patterns so as to tackle the security issues at hand proactively.
How Entro’s solution offers a robust approach to secrets management
We at Entro, are here to ensure your secrets stay safe. This will give you the confidence to focus on your core operations, whether that’s research and development or running your day-to-day business. Here’s what Entro brings to the table:
- Discovering all secrets: We locate all your secrets, no matter where they’re stored – in vaults, secret stores, collaboration tools, or CI/CD pipelines. Consider us your comprehensive solution for secrets discovery.
- Secrets enrichment: We add valuable metadata to each secret, such as the secret owner, creation date, last rotation time, and more. This provides each secret with a unique context, enhancing your understanding and control over your secrets.
- Anomaly detection/continuous monitoring: We continuously monitor your secrets and alert you if we detect any suspicious activity. This proactive approach helps you stay ahead of potential threats.
- Misconfiguration alerts: We notify you of any misconfigurations around your vaults, secret stores, or secrets. This ensures you’re always aware of potential security issues and can promptly take action.
- Principle of least privilege: We ensure your secrets only have the necessary permissions, reducing your attack surface. This approach minimizes the potential damage in case a secret is compromised.
- Bring your own Vault: You can integrate any vault or secret store you want, and we’ll keep it secure and compliant. This flexibility allows you to customize your secrets management to best suit your needs.
Wrapping up
In the case of Siemens, using hardcoded global private keys across multiple devices made it possible for a single vulnerability to have far-reaching consequences. With Entro’s secrets managment and security solution, each secret can be placed anywhere and be monitored individually, and you can be alerted when any device or service does not have a unique key. This reduces the potential impact of a single compromised key. Moreover, Entro’s continuous monitoring and anomaly detection could help identify unusual patterns of behavior or misuse of secrets, providing an additional layer of security. What happened with Siemens can happen to anyone, and we will hear about it again. But with robust secrets management and security that Entro enables, there’s still hope you can keep your secrets from prying eyes. Entro provides holistic protection for your secrets wherever they are. Why not explore what Entro can do for you? After all, every Batman needs a Robin as every security professional needs Entro to secure its secrets to avoid a destructive breach like this one.
The post The Siemens PLC vulnerability: a deep dive into industrial cybersecurity appeared first on Entro.
*** This is a Security Bloggers Network syndicated blog from Entro authored by Adam Cheriki, Co-founder & CTO, Entro. Read the original post at: https://entro.security/blog/the-siemens-plc-vulnerability-a-deep-dive-into-industrial-cybersecurity/