A new vulnerability in a Siemens software platform has been discovered by system audit specialists. If exploited, this flaw would allow hackers to gain access to industrial control systems, which work with this software, to carry out espionage activities or even hardware failures on compromised systems.
One of the main industries that employ these
systems is the nuclear power sector. According to the report, the vulnerability
affects the same software platform used by the creators of the Stuxnet
malware to compromise the systems of an Iranian nuclear facility nearly ten
years ago.
A few weeks ago, Siemens
received the bug report and released a correction patch. Joe Bingham, system
audit expert at security firm Tenable, added that there is no evidence to prove
that the vulnerability has been exploited in the wild, at least so far. The
company and experts invite organizations using this industrial control software
to install the patch as soon as possible.
Through a statement, the company reported,
“We released an update for TIA Administrator that fixes a newly discovered
vulnerability,” they mention. “Siemens recommends that administrators
follow our recommendations to complement safety measures in any industrial
environment.” The vulnerability affects Siemens STEP 7 TIA Portal, a
widely used design and automation software for industrial control systems.
Although system audit experts claim that the
complexity of exploiting this flaw is very high, if successfully performed, an
attacker could deploy multiple tasks, such as moving from one system to another
and causing extensive damage; “hackers could exploit this vulnerability
for industrial espionage, network mapping, and data extraction”, the
experts added.
Recently, researchers have focused on
vulnerabilities affecting industrial control systems because, over time, they
realized that these critical implementations are a particular interest for
hacker groups. According to the experts of the International Institute of Cyber
Security (IICS) the most interested in these flaws are the hacker groups
sponsored by governments around the world, which try to exploit these
vulnerabilities to carry out espionage or disruptive activities.
