Unpatched OpenSSL holes found on Siemens ICSs
Posted on 21 July 2014.
A number of Siemens industrial products have been found sporting four vulnerabilities in their OpenSSL implementation, which could lead to man-in-the-middle (MitM) attacks or the crashing of web servers of the products.

The flaws can be exploited remotely, and exploits that target these OpenSSL vulnerabilities are publicly available, the US Industrial Control Systems Cyber Emergency Response Team (ISC CERT) warned on Thursday.

Of the six affected products, security updates for patching the holes are available only for two.

Until the other four receive a patch, the company has issued a list of actions customers can undertake to mitigate the risk of attacks.

"The affected Siemens industrial products are for process and network control and monitoring in critical infrastructure sectors such as Chemical, Critical Manufacturing, Energy, Food and Agriculture, and Water and Wastewater Systems," ISC CERT noted. "The vulnerabilities identified could impact authenticity, integrity, and availability of affected devices."

"Impact to individual organizations depends on many factors that are unique to each organization," they noted, and added that assets owners can additionally protect their systems against general cybersecurity risks by - if possible - making sure they are not accessible from the Internet; by putting the systems behing firewalls and isolating them from the business network; and by using secure methods to access them remotely.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th