Boffins hacked Siemens Simatic S7, most secure controllers in the industry

A group of Israeli researchers demonstrated that it is possible to take over the Simatic S7 controller one of the most secure controllers in the industry.

A team of Israeli researchers demonstrated that it is possible to take control of the Simatic S7 controller without the knowledge of the operators.

The team was composed of researchers from the Cyber ​​Centers at the Technion and Tel Aviv University and experts from the National Cyber ​​Arrangement.

Among the prominent experts involved in the research there is the head of the Cyber ​​Security Research Center at the Technion, Prof. Eli Boehm and Dr. Sarah Bitan of the Technion’s Faculty of Computer Science, Prof. Avishay Wall of the School of Electrical Engineering at Tel Aviv University, and the students Aviad Carmel, Alon Dankner and Uriel Malin. 

The Siemens S7 is considered one of the most secure controllers in the industry, it is used in power plants, traffic lights, water pumps, building control, production lines, aviation systems, and many other critical infrastructures. 

“[The experts were able to] to turn off and turn on the controller, load various control logic into it, and change the activation code and source code.” reads a post published on the TechTimes. “They also succeeded in creating a situation where cattle operators cannot identify the “hostile intervention” performed in cattle.“

The researchers reported their finding to Siemens and presented the attack technique (dubbed “Rogue7” ) at the Black Hat security conference held in Las Vegas last week. 

The experts focused their study on the safety of Siemens Simatic S7 industrial controllers. Siemens S7 devices are connected to a computer, that sends them the commands, and manage multiple devices such as sensors and motors.

The team has made a reverse-engineering the communication protocol implemented by Siemens, then developed a rogue engineering workstation that mimicked the TIA Portal, and was able to send commands to the controller. 

The attack scenario sees hackers, with access to the network and the PLC of the target organization, setting up a fake workstation.

“After reverseengineering the cryptographic protocol, we are able to create a rogue engineering station which can masquerade as the TIA to the PLC and inject any messages favourable to the attacker. As a first example we extend attacks that can remotely start or stop the PLC to the latest S7-1500 PLCs.” reads the research paper published by the experts. “Our main attack can download control logic of the attacker’s choice to a remote PLC. Our strongest attack – the stealth program injection attack – can separately modify the running code and the source code, which are both downloaded to the PLC. This allows us to modify the control logic of the PLC while retaining the source code the PLC presents to the engineering station. “

The experts successfully tested their attack on Siemens S7 1500 PLC.

Further details on the “Rogue7” attack are reported in a research paper published by the experts.

“The attack also shows that securing industrial control systems is a more difficult and challenging task than securing information systems.” explained Dr. Bitan.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Siemens Simatic S7, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]