sb-nz logo
Story image

Claroty reveals DoS vulnerability in Siemens protocol

20 Feb 2020

Claroty has today announced its discovery of a vulnerability in the Siemens Digsi 4 protocol. 

The threat allows for a denial-of-service (DoS) attack against Siemens SIPROTEC 4 protection relays, designed specifically for electrical substations. 

The vulnerability was discovered by Claroty researcher Tal Keren.

The security breach represents the same protocol that was exploited by the Industroyer malware, also referred to as Crashoverride, which was used to attack a Ukrainian power grid in 2016.   

Claroty immediately reported this research and coordinated with Siemens, which has now released an advisory with workarounds and mitigations.

It contained targeted industrial cybersecurity (ICS) payloads that allowed it to communicate using ICS protocols and specifically attack the electrical substations of the targeted companies. 

An important component in a substation is the protection relay, which is responsible for monitoring the actual current transmitted in every location and may trip any circuit breaker if anything unexpected happens. 

Without this protection relay, anything from a power outage to physical damage and even safety issues could occur.

Some of the payloads used by Industroyer were designed to cause DoS on the protection relays and remote terminal units (RTU) used in the targeted power grid companies and act as a kill switch. 

One of the specifically targeted ICS payloads found in the Industroyer malware that was implemented caused DoS on Siemens SIPROTEC 4 protection relays. 

This vulnerability used the SIPROTEC 4 programming protocol (Digsi 4) that communicates over UDP port 50000, and the proof of concept (POC) code implementing it is available publicly.  

The newest vulnerability discovered by Claroty uses a malicious packet in that same protocol to cause a DoS on those relays, thus allowing an attacker to reproduce the damage caused by Industroyer. 

This Digsi4 protocol allows users to program the protection relay and change its behaviour.

This protocol was developed by Siemens as a proprietary protocol.

The challenge for traditional IT security products aiming to protect against such attacks is exacerbated, as a specific understanding of the protocol and deep packet inspection (DPI) capabilities are required. 

The advisory published by Siemens contains workarounds and mitigations for this issue. 

Siemens has also improved security in the newer SIPROTEC 5 relays, whose communication protocol is encrypted and utilises improved security. 

Many other protection relays and other types of ICS hardware in the industry use proprietary protocols for programming purposes.

Securing these critical devices requires a deep understanding of those protocols, a fundamental knowledge of Operational Technology (OT) security, and continuous research to find and map potential vulnerabilities—whether in the design of the protocol, implementation, or determining attempts to abuse it.

Story image
SMBs seeking service providers in face of rising cyber threats
SMBs are struggling with their cybersecurity solutions, with three quarters worried about being the target of a cyberattack in the next six months, and 91% considering using or switching to a new IT service provider if offered a better option.More
Story image
The importance of selecting a secure SD-WAN solution
It’s essential to adopt a secure SD-WAN solution to avoid the risks that an unsecured SD-WAN solution can introduce, writes Wavelink managing director Ilan Rubin.More
Story image
Fortinet’s ‘zero trust’ approach redefining security
Cornelius Mare, Fortinet A/NZ Director, Security Solutions, explains why taking a ‘zero trust network access’ approach to cybersecurity requires fully-integrated and comprehensive security services and policies.More
Story image
CrowdStrike integrates with ServiceNow program to bolster incident response
As part of the move, users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.More
Story image
NZTech chief hopeful for greater diversity in tech sector
With the most diverse board ever, Muller has released a statement that highlights greater inclusion as the tech sector thrives in a pandemic-hit NZ.More
Story image
Plugging the gaps: Australian organisations are leaving their defence barriers wide open
Cybercriminals are are walking through the gaping holes in Australia’s organisational defences – gaps that leadership teams don’t even realise are there.More