The Cybersecurity and Infrastructure Security Agency (CISA) has stopped updating its advisory on Siemens COMOS vulnerabilities, leaving many organizations uncertain about their security posture. This industrial software suite, widely used in critical infrastructure sectors, has faced multiple security flaws over the years. Here's what you need to know about the current situation and how to protect your systems.

Understanding Siemens COMOS

Siemens COMOS is a comprehensive software platform for engineering, maintenance, and operations across industrial plants. It's particularly prevalent in:
- Oil and gas facilities
- Power generation plants
- Chemical processing industries
- Manufacturing operations

The platform integrates multiple functions including plant design, asset management, and operational monitoring, making it a critical component in industrial control systems (ICS).

History of COMOS Vulnerabilities

Over the past decade, Siemens has disclosed numerous vulnerabilities affecting COMOS through coordinated disclosures with CISA. Some notable vulnerabilities include:

  • CVE-2021-37186: Directory traversal vulnerability (CVSS 7.5)
  • CVE-2020-7579: Cross-site scripting flaw (CVSS 6.1)
  • CVE-2019-18323: Authentication bypass issue (CVSS 9.8)

These vulnerabilities could allow attackers to execute arbitrary code, bypass authentication, or gain unauthorized access to sensitive plant data.

Why CISA Stopped Updating

CISA's Industrial Control Systems Advisory (ICSA) program previously provided regular updates on Siemens COMOS vulnerabilities. However, as of 2023, these updates have ceased because:

  1. Siemens has transitioned to publishing security advisories directly through its own ProductCERT portal
  2. Many COMOS vulnerabilities were being addressed through routine software updates
  3. CISA has shifted focus to more critical ICS vulnerabilities with widespread impact

Current Security Recommendations

Even without CISA updates, organizations using COMOS should:

1. Monitor Siemens Security Advisories

  • Bookmark Siemens ProductCERT
  • Subscribe to security notification emails
  • Check advisories quarterly at minimum

2. Implement Standard ICS Security Measures

  • Network segmentation for COMOS servers
  • Regular vulnerability scanning
  • Strict access controls with multi-factor authentication
  • Comprehensive logging and monitoring

3. Maintain Current Software Versions

Siemens provides security patches through:
- Regular service packs
- Hotfixes for critical vulnerabilities
- Version upgrades with cumulative fixes

Special Considerations for Legacy Systems

Many industrial facilities run older COMOS versions that may no longer receive updates. For these systems:

  • Conduct thorough risk assessments
  • Implement compensating controls
  • Consider virtual patching solutions
  • Develop migration plans to supported versions

This situation reflects broader trends in industrial cybersecurity:

  • Vendors taking more responsibility for vulnerability disclosures
  • Regulatory bodies focusing on highest-risk systems
  • Increasing automation of vulnerability management
  • Growing need for asset owners to maintain their own security programs

Action Steps for COMOS Users

  1. Inventory Your Systems: Document all COMOS installations and versions
  2. Assess Patch Status: Verify all available security updates are applied
  3. Review Configurations: Ensure security settings are properly configured
  4. Train Personnel: Make sure staff understands COMOS security features
  5. Develop Contingency Plans: Prepare for potential security incidents

While CISA may no longer provide updates for COMOS vulnerabilities, Siemens continues to actively maintain and secure the platform. By taking proactive measures and staying informed through official Siemens channels, organizations can continue using COMOS securely in their industrial environments.