Affected Systems Include: SIEMENS Multi Panel HMI’s (MP377)
- Internet Access
- Web Browser for searching the Shodan IoT database
- SIEMENS Sm@rtClient utility. This utility is included with the full installation of WinCC Flex 2008. WinCC Flex 2008 may be downloaded from the SIEMENS website after an online registration process. Once registered, the user must request download access from SIEMENS. This part took less than a day to be granted access to the downloads.
- Default password for the Sm@rtClient services is “100”, without the quotes.
Target SIEMENS Multi Panel HMI’s (Human Machine Interfaces), such as the MP377, which are directly connected to the Internet and show how easily such systems can expose a critical infrastructure device or process.
The SIEMENS Sm@rtClient services are available to view and control an HMI from a remote location. A typical use for this would be at a manufacturing facility where a supervisor wants to be able to see the details of a process from their office. Another use would be to minimize costs by only installing 1 HMI for a production line and using a desktop computer with the Sm@rtClient utility installed located at another point on the production line to allow control from multiple locations.
This guide will demonstrate the immediate need for a change in the way that non-security conscious Controls Systems Integrators access and install their equipment. There is a general gap in knowledge between Systems Integrators who are programming the PLC’s, HMI’s, and SCADA systems and their IT counterparts when dealing with new or updated systems at manufacturing facilities. The Integrators generally do not have the knowledge or mindset needed to set up a well secured system. Integrators usually are concerned only with being able to access the control devices (HMI’s, etc) remotely to alleviate additional trips onsite, which can be a costly endeavor over time, and to also provide quick support for their customers.
This approach has left many unprotected controls system devices wide open on the Internet available to anyone who would wish to misuse them. These systems can include critical infrastructure, school systems, manufacturing facilities, car washes, etc.
The PDF version of this guide is available here
- Navigate a web browser to the SHODAN search engine https://www.shodan.io/
- Type the following text into the search field; mp377
- Press the “Enter” key to display the search results. The results should resemble the following;
Here is a close up of one of the results.
The search has identified a SIEMENS MP377 Multi Panel HMI that is directly connected to the Internet at the IP address on the left hand side. We now have all the information needed to connect to the HMI with the Sm@rtClient utility and interact with the device as if we were standing directly in front of it.
- Install the SIEMENS WinCC Flex 2008 software. WinCC Flex is programming software used to develop screens for SIEMENS Multi Panel HMI’s. They come in many different models, sizes, and resolutions. More information can be found here.
- To download the software navigate a web browser to this address https://support.industry.siemens.com/cs/start?lc=en-US
- Use the search bar on the SIEMENS website to search for the following number: 100777999
- Shown below is the download section for the software. For this demo we want to download and install the “WinCC flexible 2008 SP3 Compact/Standard/Advanced Trial” software. Be sure to download all 6 files.
- Once all files have been downloaded. Begin a full installation of the software. The installation should look like the following image.
- Once the software has been installed use the start menu to run the Sm@rtClient utility. It should be located in the Siemens Automation > SIMATIC > WinCC flexible Runtime 2008 folder
- The “New Sm@rtserver Connection” dialog box will now be displapyed.
- Type in an IP address identified earlier by the Shodan search results. Click “Connect”
- If the HMI is available you will be asked for Authentication credentials. No User Name is needed and this area will be skipped. The default password set up from SIEMENS is “100” without the quotes. Enter the password and click “OK”.
Note: If this password does not work that means it has been changed from the default and the connection will not be allowed.
- Upon successful authentication the HMI graphic will be displayed. The utility is designed to mimic the actual look and feel of the physical device. You should see a screen similar to the following image.
- At this point the default settings should allow full navigation and control of the HMI using the Sm@rtClient utility. The process can now be analyzed, mined for information, or immediately altered.
As stated previously, this write-up was created with the intention of showing how easily accessible Industrial Controls Systems currently are in this era with the hopes that this can be an eye opening experience for everyone in the industry. We all need to make sure we have properly trained Systems Integrators, Information Technology staff, and maintenance personnel working on our critical infrastructure controls systems.