Researchers at Tel Aviv University and the Technion Institute of Technology have discovered critical vulnerabilities in the Siemens S7 Simatic programmable logic controller (PLC), one of the world's most secure PLCs, as part of a cyberattack.
The team reverse-engineered the proprietary cryptographic protocol in the S7, developing a rogue engineering workstation that posed as a so-called TIA engineering station that interfaced with the Simatic S7-1500. "The station was able to remotely start and stop the PLC via the commandeered Siemens communications architecture, potentially wreaking havoc on an industrial process," said Prof. Avishai Wool of TAU's School of Electrical Engineering. "We were then able to wrest the controls from the TIA and surreptitiously download rogue command logic to the S7-1500 PLC."
The researchers hid the rogue code so that a process engineer could not see it. If the engineer were to examine the code from the PLC, he or she would see only the legitimate PLC source code, unaware of the malicious code running in the background and issuing rogue commands to the PLC.
Their findings demonstrate how a sophisticated cyberattack can access Siemens' newest generation of industrial controllers that were built with more advanced security features and supposedly more secure communication protocols. Siemens improved the security of its industrial control system (ICS) in the aftermath of the Stuxnet attack in 2010, in which its controllers were targeted in a sophisticated cyberattack that ultimately sabotaged centrifuges in the Natanz nuclear facility in Iran.
"This was a complex challenge because of the improvements that Siemens had introduced in newer versions of Simatic controllers," said Prof. Eli Biham at the Technion. "Our success is linked to our vast experience in analyzing and securing controllers and integrating our in-depth knowledge into several areas: systems understanding, reverse engineering, and cryptography."