Vulnerabilities in Siemens’ most secure industrial PLCs can lead to industrial havoc

Critical vulnerabilities in the Siemens S7 Simatic programmable logic controller (PLC) have been discovered by cybersecurity researchers at Tel Aviv University and the Technion Institute of Technology.

Prof. Avishai Wool and M.Sc student Uriel Malin of TAU’s School of Electrical Engineering worked together with Prof. Eli Biham and Dr. Sara Bitan of the Technion to disrupt the PLC’s functions and gain control of its operations.

The scientists’ rogue engineering workstation posed as a so-called TIA (Totally Integrated Automation Portal) engineering station that interfaced with the Simatic S7-1500 PLC controlling the industrial system.

“The station was able to remotely start and stop the PLC via the commandeered Siemens communications architecture, potentially wreaking havoc on an industrial process,” Prof. Wool explained. “We were then able to wrest the controls from the TIA and surreptitiously download rogue command logic to the S7-1500 PLC.”

The researchers hid the rogue code so that a process engineer could not see it. If the engineer were to examine the code from the PLC, he or she would see only the legitimate PLC source code, unaware of the malicious code running in the background and issuing rogue commands to the PLC.

Their findings demonstrate how a sophisticated attacker can abuse Siemens’ newest generation of industrial controllers that were built with more advanced security features and supposedly more secure communication protocols.

Fixes and mitigations

“The main gap in the S7 cryptographic handshake is that the TIA is not authenticated to the PLC: only the PLC is authenticated to the TIA. Fundamentally, this allows us to create a rogue engineering station (once the veil of obscurity was lifted from the protocol). This gap can be addressed cryptographically — e.g., by having each TIA instance use its own private key, whose public-key is shared and retained by the PLC. An alternative is to introduce a ‘pairing’ mode, in which the PLC and TIA establish a long-lived shared secret during the first session. Either way, the PLC must refuse to communicate with any device claiming to be a TIA which is not the previously-authenticated TIA. According to Siemens ProductCERT, the recommended counter-measure against rogue programming of the PLC is by activating the password-protected access control mechanism on each PLC,” they explained.

“A second gap is that all PLCs of the same model and firmware version share the same private-public key pair. This gap can be used in two ways. We used it in a generic way to conduct impersonation attacks on all the S7-1500 PLCs, which use the fact that all PLCs use the same key. We did not, however, extract the private key from the PLCs. If the private key is extracted from one PLC of a particular version, then stronger attacks, specifically full man in the middle attacks with on-they-fly session-hijacking, and also PLC impersonation attacks against a TIA station (without any valid PLC), become possible.”

Following the best practices of responsible disclosure, the research findings were shared with Siemens well in advance of the scheduled Black Hat USA 2019 presentation, allowing the manufacturer to prepare.

Siemens has yet to release a security advisory pointing to software fixes. In the meantime, organizations deploying the vulnerable PLCs can, as Siemens generally advises, protect access to them by activating the password-protected access control mechanism. They can also make sure that the PLCs are not connected to the Internet or put them behing firewalls.

Dr. Bitan noted that the attack emphasizes the need for investment by both manufacturers and customers in the security of industrial control systems. “The attack shows that securing industrial control systems is a more difficult and challenging task than securing information systems,” she concluded.