Seventeen bugs have been found in Siemens industrial equipment used in fossil-fuel and large-scale renewable power plants. The affected product is SPPA-T3000, a distributed control system used for coordinating and supervising electrical generation. It can be found in power plants in the U.S., Germany, Russia and other countries.
The most severe vulnerabilities allow remote code execution, letting attackers take control of operations and disrupt them. They could impede electrical generation and cause malfunctions at power plants.
According to Siemens, exploitation of the vulnerabilities is possible only through Siemens’ Application or Automation Highway (the networks linking the components). Siemens advises cutting them from any external networks, while works on updates are underway. So far, none of the bugs seems to have been exploited in the wild.