The Discovery and Basic Configuration Protocol (DCP) is a protocol which is widely used in the industrial context. In the specification of the protocol several functions are described which are intended to be used for special operational cases like initial setup or reset of a component. As DCP was not designed as a security protocol, it could be abused by an attacker to affect the availability of affected products. The protocol is also used in PROFINET communication in case no security class configuration is used.
This bulletin describes the same behavior that is described in the PROFINET Security Advisory PISA-001 by the PI Organization.
Affected products are all PROFINET products, that do not comply to the PROFINET Security Class 1 and products that can be operated in a PROFINET network, or supporting configuration using DCP.
When DCP is activated, attackers could configure the connected components according to the specification. However, attacks are only possible from the local network as DCP is a layer 2 protocol and therefore not routable. An attacker could perform the following actions:
A successful attack could thus create a denial of service condition by changing the parameters of a component.
Siemens recommends customers to implement the following mitigations where applicable:
Where it is not possible to deactivate the usage of DCP ensure a strict access policy to your network.
Details how to disable the protocol or configure PROFINET Security class could be found in the dedicated manual of your components.
As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
Siemens Security Bulletins are subject to the terms and conditions contained in Siemens’ underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Bulletin, the Terms of Use of Siemens’ Global Website (https://www.siemens.com/ terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.