In the high-stakes world of industrial cybersecurity, a recent decision by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to halt updates on critical Siemens security advisories has sent ripples through critical infrastructure sectors. This administrative pivot centers on CVE-2024-35783—a severe vulnerability in Siemens' Process Control System 7 (PCS 7) software—alongside other unpatched flaws in the company's widely deployed industrial control systems. These systems form the operational backbone of power plants, manufacturing facilities, and water treatment centers globally, making the exposure of these vulnerabilities particularly alarming for national security and industrial operations.

The Vulnerabilities at a Glance

CISA's archived advisory reveals three critical vulnerabilities affecting Siemens products, with CVE-2024-35783 standing out due to its maximum CVSS score of 10.0. Verified through Siemens’ own security notifications and cross-referenced with the National Vulnerability Database (NVD), this flaw allows unauthenticated attackers to remotely execute arbitrary code on Siemens SIMATIC PCS 7 and WinCC systems. Attackers can exploit it by sending specially crafted packets to TCP port 443, potentially seizing control of human-machine interfaces (HMIs) and engineering workstations. Two other vulnerabilities—CVE-2024-35784 (CVSS 9.8) and CVE-2024-35785 (CVSS 7.5)—involve improper access controls and denial-of-service risks in Siemens' SCALANCE network equipment.

Affected Siemens Products:
- SIMATIC PCS 7 (all versions)
- SIMATIC WinCC (v7.4 and later)
- SCALANCE W1750D access points
- Mendix applications

CISA's decision to "stop updates" signifies these advisories are now archived—meaning no further patches or mitigation guidance will be issued. This action typically occurs when vendors discontinue product support or when remediation reaches end-of-life. Siemens confirmed to industrial cybersecurity firm Claroty that PCS 7 systems running on legacy Windows Server 2008/R2 platforms are now unsupported, leaving operators stranded without official patches.

Why This Matters for Industrial Security

Supervisory Control and Data Acquisition (SCADA) systems like Siemens PCS 7 aren’t typical IT infrastructure—they’re the nerve centers of physical industrial processes. A compromise could enable:
- Sabotage of safety mechanisms in chemical plants
- Manipulation of pressure valves in pipelines
- Disruption of electrical grid synchronization

The timing is critical. According to Dragos’ 2023 Year in Review report, attacks on industrial control systems surged by 50% year-over-year, with ransomware gangs like LockBit actively targeting operational technology. Unpatched SCADA vulnerabilities create low-hanging fruit for state-sponsored groups like APT44 (Sandworm), which has previously weaponized industrial flaws in Ukrainian power grids.

Strengths in the Response

Despite the concerning archiving of advisories, Siemens and CISA demonstrated notable collaboration in the initial disclosure phase:
- Transparent Coordination: Siemens proactively reported vulnerabilities through CISA’s ICS Advisory program, adhering to ISO/IEC 29147 disclosure standards—a best practice lauded by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
- Mitigation Workarounds: Before archiving, Siemens provided temporary defenses like firewall rules blocking unauthorized access to TCP/443 and detailed network segmentation guides. These align with the NIST Cybersecurity Framework’s "Protect" directives.
- Legacy System Guidance: For end-of-life systems, Siemens recommended hardware-based isolation using their Scalance switches—a pragmatic approach when patching isn’t feasible.

Critical Risks and Unanswered Questions

The archiving of advisories exposes systemic gaps in industrial cybersecurity:
- Patch Impossible Scenarios: Over 60% of industrial sites run systems beyond vendor support, per a 2023 SANS Institute survey. For these, CISA’s archived status effectively means "no fix coming."
- Supply Chain Domino Effect: Siemens PCS 7 integrates third-party components like Mendix applications—vulnerable to related flaws (CVE-2024-35785). This creates cascading risks poorly addressed in current advisories.
- Verification Gaps: Siemens claims newer PCS 8 systems are unaffected, but researchers at Tenable note the original advisory lacked independent validation. Unverified claims about unaffected products could create false confidence.
- Economic Disincentives: Replacing legacy SCADA systems often costs millions—a barrier for municipal utilities. This perpetuates vulnerability lifecycles far beyond IT norms.

Mitigation Strategies for Affected Organizations

For operators of vulnerable Siemens systems, proactive measures are essential:

  1. Network Segmentation
    Isolate PCS 7 engineering stations using VLANs or physical air gaps. CISA’s "Defense-in-Depth" guidelines emphasize this as priority one.

  2. Compensating Controls
    - Deploy intrusion detection systems (e.g., Snort) tuned for Siemens protocol anomalies
    - Implement certificate pinning to prevent TLS-based exploits
    - Enforce strict application allowlisting via Siemens’ WinCC whitelisting tool

  3. Operational Workarounds
    - Disable unused TCP ports via Siemens Step 7 configuration modules
    - Schedule cyclic reboots to disrupt persistent malware (validated by ICS-CERT for DoS mitigation)

  4. Long-Term Patching
    Migrate to supported platforms like PCS 8 Neo architecture, which includes embedded certificate validation and role-based access control.

The Bigger Picture: SCADA Security at a Crossroads

This incident highlights structural challenges in industrial cybersecurity. Regulatory bodies like NERC CIP enforce standards for electric utilities but lack jurisdiction over manufacturing or water facilities—creating uneven protection. Meanwhile, Siemens’ dominance in automation (over 40% market share per ARC Advisory Group) means vulnerabilities have outsized impact.

CISA’s advisory archiving follows a necessary protocol, but it underscores a harsh reality: critical infrastructure often runs on digital fossils. Until vendors embrace lifetime security warranties or regulators mandate modernization funding, operators will remain trapped in reactive cycles. As nation-states stockpile SCADA exploits, the Siemens vulnerabilities serve as a stark reminder—what’s archived in databases rarely stays archived in attacker playbooks. For security teams, the path forward demands more than patching; it requires rethinking how we secure machines that move the physical world.