Home / / Tenable discovers vulnerability in Siemens critical infrastructure design software

Tenable discovers vulnerability in Siemens critical infrastructure design software

The delicate nature and function of critical infrastructure means a successful cyberattack could result in cyber espionage

Tenable discovers vulnerability in Siemens critical infrastructure design software
Renaud Deraison, chief technology officer and co-founder, Tenable.

Tenable announced its research team discovered a critical vulnerability in Siemens STEP 7 TIA Portal, design and automation software for industrial control systems (ICS).

The vulnerability, which impacts the same family of devices compromised in the STUXNET attack, could be used as a stepping stone in a tailored attack against critical infrastructure, with the potential for catastrophic damage.

The flaw [CVE-2019-10915] would allow an unauthenticated, remote attacker to perform any administrative actions on the system, enabling them to add malicious code to adjacent ICS. A bad actor could also exploit the vulnerability to harvest data in order to plan a future, targeted attack. The delicate nature and function of critical infrastructure means a successful cyberattack could result in damage to operational technology equipment, disrupt operations, destruction of hardware or cyber espionage.

"Attacks on critical infrastructure go well-beyond cyberspace - they have the potential to cause physical damage and harm. And the threats to these often-delicate systems cannot be overstated," said Renaud Deraison, chief technology officer and co-founder, Tenable. "Cooperation and collaboration between researchers and vendors are of utmost importance when it comes to vulnerability disclosures. Tenable Research is committed to working with willing vendors, like Siemens, to protect organizations everywhere from new and emerging threats."

Siemens has released patches to address this vulnerability. Users are urged to confirm their systems have been updated to the latest version.

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.

CHANNEL AWARD 2018