February 11, 2016 By Douglas Bonderud 2 min read

Programmable logic controllers (PLCs) aren’t the first device class that leaps to mind when considering popular attack vectors. According to SecurityWeek, however, two new flaws have been discovered in the popular Siemens S7-1500 CPU line of PLCs — one of which earns a high-severity CVSS v3 risk score of 7.5.

Siemens has already taken steps to remedy the issues, but with the Internet of Things (IoT) quickly becoming a high-value target, it’s worth taking a hard look at these new logical gaps.

High-Severity Issues

As noted by the SecurityWeek piece, French security firms Lexfo and Amossys reported the two Siemens flaws — CVE-2016-2200 and CVE-2016-2201 — to the country’s National Agency for Computer Security (ANSSI). They did so after discovering the issues affected all firmware prior to 1.8.3, which fixes the problems. Both exploits required attackers to gain network access; Siemens itself recommended operating the S7-1500 line on trusted networks in any case.

Of the two, CVE-2016-2201 poses the less serious threat: The flaw makes it possible for attackers to reduce the efficiency of a feature designed to guard against relay attacks. Combined with sophisticated relay attacks, this flaw could be devastating, but it is clearly the exception rather than the rule — good to know but hardly an immediate threat.

CVE-2016-2200, meanwhile, is a different animal. By sending specific data packets to port 102/TCP, it’s possible to cause a full device STOP that can only be corrected with a manual RUN command. The result? Potentially devastating denial of service (DoS).

These aren’t the first security flaws for Siemens devices this year. In January, the company released firmware updates for its line of building automation products to combat a cross-site scripting (XSS) vulnerability.

Fundamental Flaw?

So what’s the logical conclusion here? Does Siemens simply make a product that can’t hack it in on the industrial IoT market? Hardly. As noted by The Enterprisers Project, the issue is endemic of IoT itself, a fundamental flaw built into the notion of an always-connected network.

Here’s the issue: Many devices now connected to both corporate networks and the Internet at large were never designed to fulfill this function. Instead, they were purpose-built to complete a specific task that didn’t require any type of Internet-facing safeguards.

As a result, industrial control systems (ICS), supervisory control and data acquisition (SCADA) devices and PLCs typically have minimal defenses — if any — against determined attackers. That problem is rapidly widening in scope as more Internet-facing devices are deployed and residential users begin adopting similar technology, creating a massive attack surface for cybercriminals.

In fact, residential devices may form the foundation of new attacks on large-scale energy grids. As reported by Wired, a team of researchers discovered it’s possible to hack remote shutoff devices on residential and commercial air conditioners — used to conserve energy during peak periods — and instead turn them on full blast, creating demand that’s impossible for energy producers to meet. That could overload grids and send an entire city into darkness.

Bottom line? There’s a logic to the new attacks on IoT devices: They’re simply not ready to handle advanced threats. Companies like Siemens are doing their best to patch in effective countermeasures after the fact, but changing this paradigm requires more than new firmware. Native IoT security must replace ad hoc defense for companies to completely plug high-severity gaps and bring connected devices up to par with evolving security standards.

More from

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts are…

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today