An easily-exploited remote execution flaw in a Siemens industrial control system was "likely" targeted in recent attacks, according to the US Department of Homeland Security (DHS).
The DHS's industrial control systems cyber emergency response team (ICS-CERT) has issued a warning over two bugs relating to its WinCC application, a supervisory control and data acquisition (SCADA) system used in industrial facilities, such as chemical plants.
The bugs also affect other Siemens software which uses WinCC, including SIMATIC PCS7 and TIA Portal — two separate SCADA products by the company.
ICS-CERT said in its advisory on Tuesday that "indicators exist that this vulnerability may have been exploited during a recent campaign".
However, Siemens did acknowledge it had received assistance from ICS-CERT and Symantec Deepsight Intelligence, the company's service that collects and analyses cyberthreat information.
According to ISC-CERT, the vulnerabilities can be exploited remotely by an "attacker with a low skill" level.
The two bugs have been designated the official identifiers CVE-20140-8551 and CVE-20140-8552, which have a respective CVSS v2 base score of 10 and 7.8. The scores reflect the severity of the bugs, which can be between 0 at the low end and 10 at the highest.
According to Siemens, both bugs concern a "component within WinCC could allow remote code execution for unauthenticated users if specially crafted packets are sent to the WinCC server".
Siemens has released a number of upgraded versions of affected systems and, according to ISC-CERT, will release further updates as they become available.
Customers of affected products have been advised to implement a number of measures to mitigate the risk of attack, including using current whitelisting, and running WinCC server and engineering stations within a trusted network.
SCADA security came under the spotlight, which targeted Siemens' WinCC software, and was widely thought to be developed by the US and Israel to damage equipment at an Iranian nuclear facility.