Critical Siemens Safety Device Vulnerabilities: Risks and Mitigation Strategies in Industrial Automation

When security threats emerge in industrial automation, few products provoke as much concern—or demand as much attention from the cybersecurity community—as Siemens SIRIUS 3SK2 Safety Relays and SIRIUS 3RK3 Modular Safety Systems. Recently disclosed multiple vulnerabilities highlight not only the pressing need for robust industrial cybersecurity protection, but also gaps between industrial operational needs and modern security standards. This article critically examines Siemens’ latest vulnerabilities, their technical impacts, and what both vendors and critical infrastructure operators must do to navigate a rapidly evolving threat landscape.

Understanding the Products: SIRIUS 3SK2 and 3RK3 Modular Safety Systems​

Siemens' SIRIUS family represents foundational safety components in a vast array of industrial environments. The 3SK2 Safety Relay is a compact, versatile device designed to monitor safety-related signals—think emergency stops, light curtains, or safety doors—and reliably shut down hazardous machine operations if a risk is detected. The 3RK3 SIRIUS Modular Safety System (MSS), on the other hand, offers scalable, programmable solutions for flexible safety architectures in factories, process plants, and other critical manufacturing sectors. Both are widely deployed across the globe, protecting people, machines, and processes in some of the world’s most vital production environments.
The significance of these products cannot be overstated. Safety relays and modular safety systems act as last lines of defense in environments where even milliseconds can mark the difference between a near-miss and a catastrophic event.

The Security Advisory: What’s at Stake?​

On May 15, 2025, Siemens and CISA jointly republished an advisory (SSA-222768, ICSA-25-135-13) detailing high-severity security flaws affecting all versions of both the SIRIUS 3SK2 Safety Relays and the SIRIUS 3RK3 MSS. The advisory assigns a maximum CVSS v4 score of 8.7—underlining the criticality of these issues for operators of industrial control systems (ICS) and manufacturing sites worldwide.

Core Vulnerabilities​

The advisory identifies three primary vulnerabilities, each with its own technical and operational consequences:

• Use of a Broken or Risky Cryptographic Algorithm (CWE-327, CVE-2025-24007):
  Affected devices employ a weak password obfuscation method rather than proper cryptography. An attacker with network access can retrieve and de-obfuscate the safety password, undermining controls meant to prevent inadvertent operation.
• Missing Encryption of Sensitive Data (CWE-311, CVE-2025-24008):
  Data transmitted between the device and integrated networks (such as PROFINET) is left unencrypted. Any actor with network positioning can intercept sensitive data—including the very passwords supposed to enforce operational safety.
• Incorrect Permission Assignment for Critical Resource (CWE-732, CVE-2025-24009):
  Devices do not require any authentication to access critical resources, permitting the retrieval of sensitive configuration information, data records, or obfuscated passwords via simple network access.

Risk and Impact Assessment​

The implications of these flaws extend well beyond mere inconvenience:

• Remote Exploitability: Attack complexity is low, and the flaws are exploitable remotely—no insider access or prior knowledge is required.
• Attack Surface: Both safety relays and modular safety systems typically reside on operational networks, sometimes exposed either intentionally, for remote management, or accidentally, through improper segmentation. Such exposure dramatically increases risk.
• Potential Consequences: A successful attacker could
• Retrieve, de-obfuscate, and leverage operational passwords
• Intercept sensitive commands or safety logic data
• Disrupt or maliciously reconfigure machine safeguards, potentially causing safety-system shutdowns or, worse, unsafe operations

The vulnerabilities are particularly dangerous in critical manufacturing sectors, where such components are integral to both safety and continuous operation.

Technical Analysis: Breaking Down the Flaws​

Weak Password Obfuscation​

The Siemens devices at issue obfuscate passwords—likely employing reversible or easily-guessable encoding mechanisms—rather than encrypting them with industry-standard algorithms such as AES or SHA-256. As a result, any party who can obtain the obfuscated password (via network sniffing or insecure device access) can trivially reverse the process and acquire cleartext credentials.
The industry has long warned against “security through obscurity” in ICS contexts. Weak obfuscation, often a relic from earlier eras of industrial automation, has been proven time and again to provide little resistance to motivated adversaries.

Missing Encryption on the Wire​

Modern cybersecurity hygiene mandates the encryption of sensitive data in transit, even on internal networks. Siemens’ failure to encrypt communications over interfaces like PROFINET means that traffic—including authentication exchanges, configuration data, and potentially even safety-critical instructions—is vulnerable to interception.
Given that lateral movement is a hallmark of advanced industrial cyber attacks (see Triton/Trisis, NotPetya, etc.), unencrypted safety device traffic is a ripe target for adversaries. Compromised credentials or configuration extracted from this data can lead to unauthorized changes or denial of safety functions.

Lack of Access Controls​

Perhaps most concerning, the ability to retrieve sensitive records from these devices without requiring any form of authentication presents a dramatic escalation of risk. Even if an attacker cannot directly manipulate the safety system, they can gather intelligence on operational logic, network topology, or safety parameters, setting the stage for subsequent, more damaging attacks.
This flaw underlines the need for “least privilege” and access control mechanisms even on legacy safety and automation components.

Who Discovered and Reported the Flaws?​

The vulnerabilities were identified and responsibly reported to Siemens by researchers Nikolai Puch, Johanna Latzel, and Ferdinand Jarisch from Fraunhofer AISEC, a well-respected German research institution with a strong track record in industrial cybersecurity. Their work highlights the critical importance of continuous third-party scrutiny in high-consequence environments.

Siemens’ Response: Fixes and Limitations​

At the time of writing, Siemens has not issued firmware or software fixes for either the SIRIUS 3RK3 Modular Safety System or the SIRIUS 3SK2 Safety Relays. In official mitigation guidance, the company states:

• For 3RK3 MSS: No fix is planned
• For 3SK2 Safety Relays: No fix is available

This effectively means that for currently deployed systems, users must rely entirely on configuration, hardening, and process-based mitigations—not technical patches.

Recommended Mitigations​

Siemens and CISA list the following controls as best-practice stopgaps in lieu of a product-level fix:

• Physically restrict device access to trusted users only
• Enforce rigorous network segmentation—specifically, isolate the PROFINET interface from all but essential and authorized systems
• Implement broader ICS network defenses as per Siemens and CISA’s operational guidelines, including defense-in-depth, network monitoring, intrusion detection, and security zoning

The severity of these recommendations cannot be overstated. Relying on environmental and procedural protections—while vital—is a last resort when product-level remediations are unavailable. This places the onus squarely on asset owners and system integrators to mitigate risk at the architecture and policy levels.

Critical Analysis: Strengths, Gaps, and Broader Implications​

Strengths​

1. Transparency and Responsible Disclosure​

Siemens has maintained transparency by publicly acknowledging the vulnerabilities, crediting the researchers, and working closely with CISA/ICS-CERT to publicize the relevant information and mitigations. This approach strengthens the cybersecurity community at large by highlighting risks and encouraging immediate corrective action.

2. Comprehensive Risk Advisory​

The details in the advisory—including attack complexity, clear CVSS scoring (with both v3.1 and v4.0 metrics), and explicit references to affected products—give operators actionable intelligence to guide risk assessments, prioritization, and incident response preparation.

3. Operational Guidelines and Recommendations​

The emphasis on defense-in-depth, proper network segmentation, and stringent access control reflects acknowledged best practices in industrial control system security. For operators able to rigorously enforce such measures, the mitigations can be highly effective.

Risks and Limitations​

1. Absence of Technical Patch or Firmware Update​

The most glaring weakness is Siemens’ stance that there will be no technical fix for the 3RK3 MSS and no fix currently available for the 3SK2 relays. While legacy hardware can complicate patch development and rollout, this approach leaves mission-critical safety functions exposed to remotely exploitable weaknesses—possibly indefinitely.
Asset owners in regulated industries (energy, manufacturing, critical infrastructure) may face compliance headaches or regulatory scrutiny as a result, especially if compensating controls prove inadequate over time.

2. Reliance on Perimeter and Procedural Defenses​

Without product-level hardening, organizations must rely on isolating devices and enforcing tight operational controls. This is easier said than done, particularly in brownfield deployments or where device configurations are deeply embedded in broader automation ecosystems.
Given the prevalence of flat or insufficiently segmented OT networks and the persistence of legacy equipment, complete isolation can be hard to guarantee.

3. Risk of Information Disclosure and Targeted Attacks​

With attackers able to retrieve sensitive configuration data without authentication, the risk of targeted, staged attacks increases—particularly if industrial espionage or sabotage is a concern. Even if a direct compromise is unlikely, the value of exposed operational data should not be underestimated.

4. Increasing Attack Sophistication​

As demonstrated by the evolution from general malware to highly targeted ICS attacks (e.g., Stuxnet, Industroyer, Triton), adversaries are increasingly capable of translating operational access into physical effects. Vulnerabilities like these, even if mitigated in theory, expand attackers’ toolkits and underline the need for continuous security modernization.

Best Practices for Asset Owners and Operators​

Immediate Steps​

• Conduct a thorough asset inventory: Identify all instances of affected SIRIUS devices within your environment.
• Assess network exposure: Map network paths, paying particular attention to possible unauthorized access points (especially on PROFINET).
• Implement segmentation or isolation for devices: Air-gap where possible or enforce strict VLAN/firewall boundaries.
• Regularly review and limit personnel accesses to physical ICS hardware.

Proactive Defensive Strategies​

• Monitor for suspicious activity: Deploy network intrusion detection and anomaly detection tailored to industrial protocols and traffic.
• Harden surrounding ICS assets: Apply patches, restrict services, and enforce strong authentication wherever possible.
• Develop an incident response playbook: Anticipate possible exploit scenarios and define workflows for containment and recovery.

Long-Term Strategic Considerations​

• Advocate for vendor accountability: Engage with Siemens and other ICS vendors to promote the integration of modern security standards in both legacy support and new product development.
• Invest in personnel training and awareness: Educate engineering, operations, and IT staff on evolving ICS threats and mitigations.
• Participate in ISACs and sector-based information sharing collectives to receive timely vulnerability and threat intelligence.

Broader Industry Implications​

The Siemens SIRIUS 3SK2 and 3RK3 vulnerabilities are not isolated events; they reflect systemic issues—technological, organizational, and regulatory—in the ongoing convergence of operational technology (OT) and IT.
As digitization drives ever greater connectivity between legacy industrial devices and enterprise networks, gaps in device security become critical points of systemic risk. Patching industrial devices is notoriously hard: long lifespans, certification issues, and patching windows are all major hurdles. Yet, the age-old fallback—“behind the firewall, so it’s safe”—is increasingly untenable. Modern adversaries routinely breach supposedly isolated environments via compromised laptops, USB devices, or poorly secured remote access.
Regulators, vendors, asset owners, and the cybersecurity community must collaborate to raise the bar:

• Mandatory product support lifecycles and vulnerability remediation
• Security by design for all new industrial devices, and continued support for legacy systems wherever possible
• Sector-wide threat intelligence and rapid incident sharing

These vulnerabilities also signal that, for the near term, asset and facility owners bear outsized responsibility for their own cybersecurity posture—often without recourse to vendor patches or upgrades.

Conclusion​

The recent security disclosures impacting Siemens SIRIUS 3SK2 Safety Relays and 3RK3 Modular Safety Systems represent more than just a technical challenge: they are emblematic of the widening gulf between operational safety and modern cybersecurity demands in industrial settings.
While Siemens’ transparency and concrete mitigation advice are commendable, the absence of technical remediations for widely deployed safety components means that operational security teams must shoulder the burden of protection through environmental, architectural, and procedural controls. This is a worrisome status quo for industries where physical safety and business continuity hinge on the unwavering reliability of automation components.
For critical infrastructure operators, manufacturers, and integrators, the path forward is clear but arduous: defend in depth, stay up to date on emerging threats, and push for a culture of security across the entire supply chain—from device vendors and system integrators to every operator on the line. The stakes could not be higher, and the lessons from this advisory are a wake-up call for the entire industrial automation community.

---

Further Resources and References:

• Siemens CERT Security Advisories
• CISA ICS Security Best Practices
• Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies (CISA)
• SSA-222768 Security Advisory (Siemens Official)

No evidence of public exploitation has been reported at the time of publication, but prudent operators should act swiftly to review and reinforce their systems in light of these vulnerabilities.

---

Source: CISA Siemens SIRIUS 3SK2 Safety Relays and 3RK3 Modular Safety Systems | CISA