Siemens recently addressed a critical vulnerability impacting some of its industrial control systems (ICS) designed for the energy sector, which could enable malicious hackers to destabilize a power grid. Researchers who discovered the security flaw reported that the vulnerability, identified as CVE-2023-28489, affects the CPCI85 firmware of Sicam A8000 CP-8031 and CP-8050 products. An unauthenticated attacker could exploit this vulnerability for remote code execution. These products are remote terminal units (RTUs) intended for telecontrol and automation in the energy supply sector, particularly substations.
Patches for this vulnerability are available in firmware versions CPCI85 V05 or later. Siemens also mentioned that the risk of exploitation can be reduced by limiting access to the web server on TCP ports 80 and 443 using a firewall. Siemens was informed about the flaw by a team of researchers at cybersecurity consultancy SEC Consult, which is now part of Eviden, an Atos business.
Johannes Greil, head of the SEC Consult Vulnerability Lab, told reporters that an attacker who can exploit CVE-2023-28489 can take complete control of a device, potentially destabilizing a power grid and possibly even causing blackouts by altering critical automation parameters. Threat actors could also use the vulnerability to implement backdoors. Greil noted that since these devices are mostly used in critical infrastructure environments, they are typically 'strongly firewalled' and not directly accessible from the internet. However, he added, "It cannot be ruled out though that some devices might be reachable through 3rd party support access connections or potential misconfigurations."
Exploiting CVE-2023-28489 allows an attacker with network access to the targeted device to gain full root access without any prior authentication. The exploitation involves sending a specially crafted HTTP request to the targeted RTU. The US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory in April to inform organizations about the vulnerability.
Greil highlighted that Siemens Sicam products are among the first devices globally to receive 'maturity level 4' certification in the Industrial Cyber Security category. This certification, IEC62443-4-1, indicates that security was a crucial factor throughout the design and development process, and that the product has undergone rigorous testing. SEC Consult is not currently releasing any technical details to prevent potential misuse of the information by malicious hackers. However, the company informed reporters that it has discovered multiple vulnerabilities in Siemens products that are in the process of being fixed, and some technical details will be disclosed after patches are rolled out.