Siemens patches Heartbleed in popular SCADA system

Siemens released a security update to address the Heartbleed vulnerability in SIMATIC WinCC Open Architecture, a SCADA (supervisory control and data acquisition) system that’s used in a large number of industries to operate processes, machines and production flows.

Heartbleed is a critical security flaw discovered earlier this month in OpenSSL, the most popular implementation of the TLS (Transport Layer Security) and SSL (Secure Sockets Layer) protocols.

[ InfoWorld’s expert contributors show you how to secure your Web browsers in a free PDF guide. Download it today! | Learn how to protect your systems with Roger Grimes’ Security Adviser blog and Security Central newsletter, both from InfoWorld. ]

The vulnerability can be exploited to extract passwords, encryption keys and other potentially sensitive information from the memory of TLS servers and clients that rely on OpenSSL for encrypted communications. While most of the discussion surrounding the vulnerability has focused on how it impacts Web servers, the flaw also affects desktop and mobile applications, embedded systems like routers, hardware appliances and industrial control systems, including those potentially used in critical infrastructure.

Siemens updated its Heartbleed security advisory Friday to announce the availability of WinCC OA version 3.12-P006 that fixes the flaw for WinCC OA 3.12, the only affected version of the product according to the company.

However, Heartbleed also affects other Siemens products: eLAN prior to version 8.3.3 when RIP is used, S7-1500 V1.5 when HTTPS is active, CP1543-1 V1.1 when FTPS is active and APE 2.0 when the SSL/TLS component is used in customer implementations.

ELAN customers can solve the security issue by updating to version 8.3.3, but the other affected products are yet to receive patches. In the meantime, Siemens suggests several mitigations in its security advisory that involve disabling or restricting access to the web server in S7-1500 and disabling or restricting access to FTPS in CP1543-1.

APE 2.0 customers can upgrade the OpenSSL installation in the product to version 1.0.1g by following instructions in a separate advisory published on the RuggedCom website. RuggedCom is a subsidiary of Siemens and the original maker of the product.