By Gregory Hale
It is possible to hack into Siemens S7-1500 programmable logic controllers (PLC), researchers said.
By exploiting vulnerabilities, including the use of the same key on all of the S7-1500 PLCs, researchers were able to get into the systems and take over, said Dr. Sara Bitan, senior researcher at Technion Hiroshi Fujiwara Cyber Security Research Center and founder and chief executive of CyCloak – Secure System Design and Audit and Uriel Malin, a masters student at Tel Aviv University and a security researcher at Medigate – Healthcare IoT Security, during a presentation Thursday entitled “Rogue 7: Rogue Engineering Station Attacks on Simatic S7 PLCs,” at Black Hat USA 2019 in Las Vegas, NV.
They presented a paper written by them and Eli Biham, head of the Hiroshi Fujiwara Cyber Security Research Center at the Technion, Aviad Carmel, a student at Tel Aviv University, Alon Dankner, a student at Tel Aviv Univesity and Avishai Wool, a professor at the School of Electrical Engineering at Tel Aviv University.
Siemens said it is aware of the research from Technion Haifa and Tel-Aviv University presented at BlackHat USA 2019 as “Rogue7: Rogue Engineering-Station attacks on S7 Simatic PLCs.” Siemens added it recommends users of SIMATIC S7-1200/S7-1500 enable the feature “access protection” to prohibit unauthorized modifications of the devices.
In addition, the company recommends to follow and implement the defense-in-depth approach for plant operations, and to configure the environment according to Siemens’ operational guidelines for Industrial Security.
“We have become more dependent on critical infrastructure in our daily lives,” Bitan said. “Distributed control system covers dozens of miles, and the PLC is the core of the ICS (industrial control system). PLCs are connected to physical devices. The PLC is the target of our attack.”
The S7 PLC the team exploited has a “highly sophisticated software package which makes it error prone and vulnerable,” Bitan said. They were able to get into the engineering workstation and work their exploit.
“The engineering workstation is the soft underbelly of the ICS,” Bitan said. “They only use it when needed to trouble shoot something or conduct maintenance.”
The Siemens industrial control systems architecture consists of Simatic S7 PLCs which communicate with a TIA (Totally Integrated Automation) engineering station and SCADA HMI on one side, and control industrial systems on the other side.
After reverse-engineering the cryptographic protocol, researchers created a rogue engineering station that pretended to be the TIA to the PLC and inject any kinds of messages.
In their demos, they were able to remotely start or stop the PLC to the latest S7-1500 PLCs. In another attack they were able to download an attacker’s control logic to a remote PLC. They were also able to modify the running code and the source code, which allowed them to modify the control logic of the PLC while retaining the source code the PLC presents to the engineering station.
Getting into the attack, the researchers were able to identify the code elements of Siemens proprietary cryptographic protocol, what they called P3.
They were also able to point out the differences between the P3 protocol and SSL. They both had server only authentication, the client generated the key material, and encrypts with server public key. But they differed with SSL which has different servers using different public keys, where S7 P3 had all PLCs from the same model and version using the same key.
Upon learning the protocol, they were able to create a fake engineering station, which ended up used to take over the system.
After the demo on how they went about the technical details on the process of hacking, they summarized there were vulnerabilities in the S7 protocol P3 and a python attack tool could impersonate TIA where they could download a recorded program to any S7-1500 PLC and also lead a stealth program injection attack.