Malicious actors could use rogue engineering workstations to take control of Siemens programmable logic controllers (PLCs), and they can hide the attack from the engineer monitoring the system, researchers from two universities in Israel have demonstrated.
Researchers from Technion and Tel-Aviv University have reverse-engineered the S7 network protocol used for communications between Siemens’ SIMATIC S7 PLC and the TIA Portal (WinCC) software, which acts as the engineering workstation and can also serve as a human-machine interface (HMI).
In recent years, Siemens was reported to have a share of over 30% in the global PLC market — more than any other vendor — so these controllers are likely to be targeted by threat actors trying to cause disruptions in industrial environments, as demonstrated by the 2010 Stuxnet attack on an Iranian nuclear facility.
Several serious vulnerabilities affecting Siemens PLCs have been disclosed in recent years, and researchers have demonstrated some potentially damaging attacks.
The most recent versions of the S7 protocol used by Siemens controllers do include some defense mechanisms, including cryptographic message integrity checks that should protect communications from malicious tampering.
However, after reverse-engineering the protocol, the researchers from Israel managed to develop a rogue engineering workstation that mimicked the TIA Portal, allowing it to interact with the PLC. Such a rogue workstation can be set up by an attacker who has access to the targeted organization’s network and the PLC.
The experts have demonstrated that a rogue engineering workstation can send commands to an S7-1500 PLC to instruct it to start or stop. This can already be highly problematic, depending on what the controller is used for.
However, the researchers showed that the rogue system could also be used to remotely download a malicious control logic program to the controller.
In what they described as a stealthy program injection attack, the experts managed to download a malicious program to the PLC, while preventing the engineer from seeing it. This is possible due to the fact that the program download message contains both the source code of the program and the binary (compiled) code that will run on the PLC. An attacker can modify each of them independently, allowing them to leave the uncompiled code untouched — this code will be displayed to the engineer — and make malicious modifications to the compiled code that is sent to the controller.
“We note that our main findings in themselves are not ‘vulnerabilities’ that can be quickly patched: rather, once the obscurity of the protocol is unveiled, we find that the attacks are consequences of the cryptographic design choices used in the S7 protocol,” the researchers explained.
The attack method, which the researchers have dubbed “Rogue7,” is being detailed on Thursday at the Black Hat cybersecurity conference in Las Vegas. A research paper that includes technical information has also been published.
Contacted by SecurityWeek, Siemens said it was aware of the research and it plans on releasing product updates to address some of the issues uncovered by the experts. However, the company says its products already contain security features, such as Access Protection, which should mitigate these types of attacks.
“Siemens recommends to activate these protection features and install the products according to Siemens’ operational guidelines published on the Siemens Industrial Security website,” the company said in an emailed statement.
South Korean researchers also warn of new Siemens PLC vulnerabilities
Researchers at South Korea-based NSHC last month revealed that they had found a “zero-day vulnerability” in Siemens S7 PLCs that can be exploited for replay attacks.
The company told SecurityWeek that an attacker who is on the targeted organization’s network and is capable of launching a man-in-the-middle (MitM) attack can use the technique for denial-of-service (DoS) attacks and even to execute arbitrary commands.
NSHC has published a video apparently showing how the vulnerability can be exploited to cause serious damage.
However, Siemens told SecurityWeek that it has conducted an internal investigation and determined that what HSHC has found is not an actual vulnerability.
“The researcher appears to have developed a compatible client for the S7 communications protocol, with limited capability, using information gathered through reverse engineering,” Siemens said. “Siemens recommends that users of Simatic S7-1200/S7-1500/Software Controller enable the feature ‘access protection’ to prohibit unauthorized modifications of the devices.”
Related: Hackers Can Steal Data From Air-Gapped Industrial Networks via PLCs
Related: Severe DoS Flaw Discovered in Siemens SIMATIC PLCs
Related: Siemens Warns of Linux, GNU Flaws in Controller Platform