Researchers from Israel managed to hack one of the most protected PLC Simatic S7

A team of Israeli researchers demonstrated a successful attack on the Siemens Simatic S7 PLC (programmable logic controller) and took control over them without awareness of the operator.

In particular, they managed to turn the controller on and off, load various logic, change the activation code and source code, all without visible signs of intrusion.

“We can create a situationwhere the PLC’s functionality is different from the control logic visible to the engineer”, — reported researchers.

Cybersecurity experts from the Faculty of Computer Science, Technion, Haifa and the School of Electrical Engineering, Tel-Aviv University attended the project.

Simatic S7 are industrial hardware controllers that connect to a computer and send various commands to it. The devices are designed to control various components of industrial control systems, including sensors and motors. Simatic S7 are widely used in power plants, production lines, in water pumps, building management systems, aircraft systems and other critical infrastructure. Simatic S7 is considered one of the most secure industrial controllers.

“This was a complex challenge because of the improvements that Siemens had introduced in newer versions of Simatic controllers”, — said Israeli researchers.

Researchers reverse engineered the Siemens cryptographic protocol and created a malicious TIA Portal workstation, which allowed them to send commands to the controller.

Read also: In Boeing 787 Dreamliner detected a bulk of vulnerabilities in security systems

As a first example, experts demonstrated the remote on and off PLCs of the latest S7-1500 series. However, the main goal was the remote implementation of logic.

“The station was able to remotely start and stop the PLC via the commandeered Siemens communications architecture, potentially wreaking havoc on an industrial process. We were then able to wrest the controls from the TIA and surreptitiously download rogue command logic to the S7-1500 PLC”, — explained researchers.

The most dangerous of demonstrated attacks is the secret introduction of programs. Researchers individually modified the running code and the source code, and then downloaded both codes to the PLC.

Researchers notified Siemens of the problem and demonstrated an attack called Rogue7 at the Black Hat USA 2019 conference last week in Las Vegas.