The rapid global growth of the Industrial Internet of Things (IIoT) has connected machines and devices in far-flung industries such as manufacturing, healthcare, transportation, and others that were once safely secured behind physical locked doors. But that transformation also presents new security challenges as many of these devices are now controlled by centralized management systems.

Consider, for example, the widespread use of the Siemens TIA management portal control systems, which are used across healthcare, utilities, power grids, nuclear plants, roller coasters to manufacturing.  A recently disclosed vulnerability CVE-2019-10915 specifically targeted the TIA Portal. Siemens subsequently provided a patch to prevent unauthenticated instructions from other processes.

Exploit Analysis

The Siemens TIA Portal uses Node.js for managing a fleet of Siemens control systems. A takeover of the Siemens TIA Portal could enable an attacker to perform firmware upgrades, control speeds of centrifuges. The Node.js system correctly authenticates calls from remote machines.  However, the issue is that it allowed unauthenticated commands from any process on the local system using WebSockets.

Exploits of anything including a browser or another vulnerable process on the same server can enable the attacker to send any command to the TIA Portal, and through TIA portal cascade any command to the entire fleet of Siemens controllers. Specifically, the protection is to restrict inbound traffic from local host to port 8888.

The good news is that Symantec CWP and DCS offer premier protection for a variety of sophisticated computer installations, including On-Prem Datacenters, Internet as a Service including AWS, Azure, GCP, Oracle and Industrial Control Systems. Cloud Workload Suite protects against major Datacenter vulnerabilities like Docker DoomsdayTesla Attack, and Siemens critical systems. 

About the Author

Ashok Banerjee

CTO for Enterprise Security Products – Symantec

Ashok is the CTO for Enterprise Security Products. Ashok’s efforts span endpoint, on-premise datacenters and cloud and spans across Threat Protection, Information Protection, Email Security, Endpoint Management , Compliance and Industrial IOT