Researchers Poke Holes in Siemens Simatic S7 PLCs

Black Hat USA session will reveal how they reverse-engineered the proprietary cryptographic protocol to attack the popular programmable logic controller.

A group of security researchers in Israel has discovered vulnerabilities in the Siemens S7 Simatic architecture that ultimately allowed them to build a phony engineering workstation that was able to dupe — and alter — operations of the S7 programmable logic controller (PLC) that runs industrial processes.
Eli Biham and Sara Bitan of Technion, and Avishai Wool and Uriel Malin of Tel Aviv University,
at Black Hat USA next month
in Las Vegas will reveal security weaknesses they found in the newest generation of the Siemens systems and how they reverse-engineered the proprietary cryptographic protocol in the S7.
Their rogue engineering workstation poses as the so-called TIA engineering station that operates with the Simatic S7-1500 PLC, which in turn interfaces with and runs the industrial system or process. It can remotely start and stop the PLC via the newly found flaws in the Siemens communications architecture, potentially wreaking havoc on an industrial system or process, according to the researchers. They were able to wrest those controls from the PLC by surreptitiously downloading rogue command logic to the S7 PLC.
They hide the rogue code so that a process engineer could not see it: If the engineer were to check the code, he or she would only see the legitimate PLC source code, unaware of the malicious code running in the background and issuing rogue commands to the PLC.
You could have some disruption in the physical process, explains Wool, a professor at Tel Aviv Universitys School of Electrical Engineering.
The research — details of which the researchers wont disclose until their talk at Black Hat — combined deep-dive studies of the Siemens technology by teams at both Technion and Tel Aviv University. Their findings demonstrate how a sophisticated attacker could abuse Siemens newest generation of industrial controllers that were built with more security features and more secure communication protocols.
Siemens doubled down on industrial control system (ICS) security in the aftermath of the infamous Stuxnet attack, where its older controllers were targeted in a sophisticated attack that ultimately sabotaged centrifuges in the Natanz nuclear facility in Iran. Siemens was one of the first ICS/SCADA vendors then to step up and build secure software development programs as well as roll out new products with
built-in security features
such as firewalls and VPNs.
The industrial systems vendor now also offers
managed security services
, including monitoring, incident response, and management, to the industrial sector.
Siemens confirmed that it has been working with the researchers, who have shared the details of their findings with the vendor. Siemens is aware of the findings, has been working with the researcher, and will provide further information as it becomes available via Siemens ProductCERT, a Siemens spokesperson said.
Meanwhile, the researchers for now recommend layers of firewalls, access controls, and closing off any Internet connections to the S7s as a defense to such attacks on the PLCs.
Siemens advises enabling the access protection feature in its Simatic S7-1200 and S7-1500 to prevent unauthorized modifications of the devices.
Related Content:
New Twist in the Stuxnet Story
Stuxnet, the Prequel: Earlier Version of Cyberweapon Discovered
Anatomy of a Cyber-Physical Attack
PLC Worms Pose Stealthy Threat to Industrial Systems

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the
conference
and
to register.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Researchers Poke Holes in Siemens Simatic S7 PLCs