Tenable Research discovers high impact vulnerability in Siemens critical infrastructure design and automation software

Published: Wednesday, 10 July 2019 07:49

Tenable has announced that its research team has discovered a critical vulnerability in Siemens STEP 7 TIA Portal, design and automation software for industrial control systems (ICS). The vulnerability, which impacts the same family of devices compromised in the STUXNET attack, could be used as a stepping stone in a tailored attack against critical infrastructure, with the potential for catastrophic damage.

The flaw [CVE-2019-10915] would allow an unauthenticated, remote attacker to perform any administrative actions on the system, enabling them to add malicious code to adjacent ICS. A bad actor could also exploit the vulnerability to harvest data in order to plan a future, targeted attack. The delicate nature and function of critical infrastructure means a successful cyber attack could result in damage to operational technology equipment; disruption of operations; destruction of hardware; or cyber espionage.

Siemens has released patches to address this vulnerability. Users are urged to confirm that their systems have been updated to the latest version.

More details.