Security Experts:

Connect with us

Hi, what are you looking for?



Security Researchers Dig Deep Into Siemens Software Controllers

LAS VEGAS – BLACK HAT 2022 – A team of researchers from the Technion research university in Israel is conducting an analysis of Siemens software controllers and they are gradually identifying security issues.

LAS VEGAS – BLACK HAT 2022 – A team of researchers from the Technion research university in Israel is conducting an analysis of Siemens software controllers and they are gradually identifying security issues.

The researchers have analyzed a PC-based programmable logic controller (PLC) — or SoftPLC — from Siemens. The SIMATIC S7-1500 software controller runs on the ET200SP open controller, combining the security of a PLC with the flexibility of an industrial PC, according to the vendor.Siemens softPLC security analyzed

Technion’s investigation showed that the controller is powered by an Intel Atom CPU and it runs a hypervisor that controls two virtual machines (VMs) with Windows and Adonis Linux, which the vendor calls SWCPU. The Adonis kernel runs the PLC logic and functions.

The SWCPU is encrypted and is decrypted by the hypervisor during the PLC boot process. However, the researchers found that the boot process is not secure, allowing an attacker to read and modify the filesystem, including hypervisor binaries and the encrypted SWCPU. Next, the researchers discovered that the SWCPU can be decrypted using a hardcoded key.

Siemens confirmed to the researchers that it is possible to decrypt the firmware using a hardcoded key. The company has argued that the role of the encryption is to protect its intellectual property.

“Customer installations are not directly impacted by this research. However, Siemens recommends that customers continuously monitor the Siemens security advisories and install latest available patches. Further, Siemens strongly recommends that customers implement the defense-in-depth approach for plant operations and configure their environments according to Siemens’ operational guidelines for Industrial Security,” Siemens told SecurityWeek in an emailed statement.

Learn more about vulnerabilities in industrial systems at

SecurityWeek’s 2022 ICS Cyber Security Conference

Sara Bitan, researcher at Technion and CEO and co-founder of cybersecurity firm CyCloak, talked to SecurityWeek ahead of the Black Hat conference that took place this week in Las Vegas, where the Technion team disclosed some of its findings. The researcher believes their work is important, as it paves the way for future research, and the firmware hacking in itself could have security implications.

“The plaintext firmware can be reverse engineered. We observed that the firmware includes standard C run time libraries, and various open-source libraries (e.g. openssl). The update frequency of the firmware is low, exposing it to known vulnerabilities. Moreover, we found out — and Siemens confirmed — that the open controller shares 99% of software with S7-1500, i.e. the firmware decryption exposes the whole Simatic S7-1500 product line to attacks exploiting known vulnerabilities,” she explained.

In addition, the research is ongoing and the experts claim to have already identified a way for a malicious actor who takes control of the Windows VM in the S7-1515SP PC2 to persistently replace the Siemens PLC firmware with their own rogue firmware. The full details of this vulnerability have not been disclosed at Black Hat as it’s not part of the initial research. Siemens was recently notified but, based on its response, it has yet to fully assess the issue.

“An attacker gaining local admin permissions on the Windows VM (whether through local or remote exploitation) can modify/replace the file containing the PLC firmware with his own malicious firmware, correctly encoded, and the open controller will automatically run it after reboot,” Bitan explained.

“The attacker can use the malicious firmware to completely take over the PLC, and run his own control program (like what Stuxnet has done). The customer is fully responsible for the Windows machine, including updates, hardening etc. It is designed to be used by engineers as a development environment, and it is the one communicating with the external world (except the field devices). Hence its attack surface is large, and respectively also the probability of malicious takeover by an attacker,” the researcher added.

Related: New Vulnerabilities Can Allow Hackers to Remotely Crash Siemens PLCs

Related: ICS Patch Tuesday: Siemens, Schneider Fix Several Critical Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...