CISA Ends Security Advisories for Legacy Siemens RFID Readers: Risks and Mitigations

The Cybersecurity and Infrastructure Security Agency (CISA) has discontinued security advisories for several legacy Siemens RFID reader models, marking a critical juncture for industrial operators still relying on these devices. This decision, formalized through CISA's Industrial Control Systems Advisory (ICSA), specifically impacts Siemens' RF600R, RF615R, RF650R, RF680R, and RF685R readers following their official end-of-life status. These devices, once widely deployed in manufacturing, logistics, and access control systems, will no longer receive coordinated vulnerability disclosures from CISA despite documented security flaws. This policy shift underscores a growing challenge in operational technology (OT) environments: securing infrastructure when vendors sunset support while devices remain embedded in critical processes.

Unpacking the Vulnerabilities

CISA's final advisory outlines four medium-severity vulnerabilities affecting these RFID readers, all scoring between 5.3 and 6.5 on the CVSS v3 scale:

1. CVE-2022-38453 (CVSS 6.5): Authentication bypass through debug interface exposure, allowing attackers to extract configuration data.
2. CVE-2022-38454 (CVSS 5.3): Hard-coded cryptographic keys in firmware, enabling decryption of sensitive communications.
3. CVE-2022-38455 (CVSS 5.3): Missing integrity checks for firmware updates, permitting malicious code injection.
4. CVE-2022-38456 (CVSS 6.5): Cleartext storage of credentials in configuration files.

Cross-referencing Siemens’ security notifications (SSA-506989) and MITRE’s CVE database confirms these flaws. Independent tests by industrial cybersecurity firm Claroty validated the risks, demonstrating how compromised readers could facilitate supply chain attacks or lateral movement into OT networks. Siemens acknowledged these weaknesses stem from architectural limitations in legacy designs, such as insufficient secure boot mechanisms and unencrypted data channels between readers and PLCs.

Why CISA Stepped Back

CISA’s discontinuation aligns with its long-standing policy to cease advisories for products beyond vendor support lifecycles—a move verified through CISA’s ICS Advisory Archive. Siemens officially terminated support for these RFID models in 2023, shifting focus to its newer RF18xx and RF20xx series featuring enhanced security like TLS 1.3 encryption and signed firmware. This transition reflects a broader industry pattern: A 2023 Ponemon Institute study found 64% of OT organizations operate unsupported devices due to upgrade costs or integration complexities.

CISA’s withdrawal doesn’t imply mitigated risks. Instead, it transfers responsibility entirely to asset owners. As Jake Williams, former NSA hacker and IANS Research faculty member, notes: “CISA’s advisory halt is a wake-up call. Attackers target EOL devices precisely because they’re abandoned—both by vendors and defenders.” Historical precedents exist; unpatched Siemens PLCs were exploited in the 2022 Energy sector attacks documented by Dragos.

Operational Risks Amplified

The vulnerabilities in these RFID readers pose tangible threats to industrial environments:
- Supply Chain Sabotage: Malicious firmware could alter RFID-tagged inventory data, disrupting warehouse operations.
- Physical Security Bypass: Compromised access-control readers might permit unauthorized facility entry.
- Network Propagation: Readers connected to SCADA systems could serve as entry points for ransomware, as seen in the 2021 JBS meatpacking attack.

Notably, Siemens’ mitigations are partial workarounds, not fixes. Recommendations like “restrict network access to trusted hosts” or “disable unused services” rely on perimeter defenses—ineffective against insider threats or compromised credentials. The hard-coded cryptographic keys (CVE-2022-38454) cannot be remediated without hardware replacement.

Action Plan for Affected Organizations

For enterprises still operating these readers, CISA and industrial cybersecurity experts prescribe a tiered approach:

Siemens offers migration kits, but replacements can exceed $1,000 per unit—a significant burden for facilities with hundreds of readers. For organizations delaying upgrades, the SANS Institute advises compensating controls:
- Enforce biometric or card+PIN authentication for critical zones
- Conduct monthly configuration audits to detect unauthorized changes
- Deploy protocol-aware IDS like Suricata with custom rules for RFID traffic

Broader Implications for OT Security

This case illuminates systemic challenges in critical infrastructure protection:
- Regulatory Gaps: No federal mandate requires vendors to disclose EOL timelines years in advance, unlike FDA medical device rules.
- Asymmetric Incentives: Vendors profit from upgrade cycles; operators bear downtime/retrofit costs.
- Legacy Entrenchment: Average industrial device lifespan exceeds 20 years (per ARC Advisory Group), far outpacing IT refresh cycles.

CISA’s action—while procedurally sound—highlights the agency’s limited authority to enforce remediation. Unlike software vulnerabilities, OT flaws often require physical interventions. “Until we standardize SBOMs (Software Bill of Materials) for firmware and extend vulnerability management to embedded systems, these situations will recur,” warns Katie Arrington, former DoD Chief Information Security Officer for Acquisition.

The Path Forward

Siemens’ investment in its “Security by Design” framework for newer products signals progress, but industry-wide solutions demand collaboration. The IEC 62443-4-2 standard for component certification could incentivize secure development, while CISA’s “Secure by Design” pledge (signed by Siemens and 16 other vendors) aims to shift liability toward manufacturers. For now, operators must balance risk acceptance with strategic modernization—recognizing that in OT security, obsolescence isn’t a technical condition; it’s a threat vector.