The researchers hid the rogue code so that a process engineer could not see it. “We were then able to wrest the controls from the TIA and surreptitiously download rogue command logic to the S7-1500 PLC.” “The station was able to remotely start and stop the PLC via the commandeered Siemens communications architecture, potentially wreaking havoc on an industrial process,” Prof. The scientists’ rogue engineering workstation posed as a so-called TIA (Totally Integrated Automation Portal) engineering station that interfaced with the Simatic S7-1500 PLC controlling the industrial system. Sara Bitan of the Technion to disrupt the PLC’s functions and gain control of its operations. Avishai Wool and M.Sc student Uriel Malin of TAU’s School of Electrical Engineering worked together with Prof. The problems that lead to these exploits are also discussed and a number of potential mitigation strategies are proposed.Critical vulnerabilities in the Siemens S7 Simatic programmable logic controller (PLC) have been discovered by cybersecurity researchers at Tel Aviv University and the Technion Institute of Technology. Subsequently, exploits are demonstrated that enable the stealing of an existing communication session, denying the ability of an engineer to configure a PLC, making unauthorised changes to PLC states, and other potential violations of integrity and availability. Novel exploits, including the manipulation of cryptographic keys, are identified based on experimental analysis. The anti-replay mechanism, used in the protocol is investigated, including the identification of specific bytes necessary to craft valid network packets. The analysis utilises the tools WinDbg and Scapy. This protocol enables communication between Siemens endpoints such as TIA Portal (the engineering software from the vendor), and PLCs like the S7–1211C, which has been used for experiments in the work. To understand the effectiveness of state-of-the-art security mechanisms built into these devices, this paper presents an in-depth analysis performed on the Siemens PLC environment, particularly the communication protocol known as S7CommPlus. Programmable Logic Controllers (PLCs) are the point of interaction between the cyber and physical world, and thus have been the target of previous cyber-attacks that caused physical disruption.
0 kommentar(er)
