TAU and Technion Researchers Hack One of World's Most Secure PLCs
August 12, 2019 | Tel Aviv UniversityEstimated reading time: 2 minutes
Cybersecurity researchers at Tel Aviv University and the Technion Institute of Technology have discovered critical vulnerabilities in the Siemens S7 Simatic programmable logic controller (PLC), one of the world's most secure PLCs that are used to run industrial processes.
Prof. Avishai Wool and M.Sc student Uriel Malin of TAU's School of Electrical Engineering worked together with Prof. Eli Biham and Dr. Sara Bitan of the Technion to disrupt the PLC's functions and gain control of its operations.
The team is slated to present their findings at Black Hat USA week in Las Vegas this month, revealing the security weaknesses they found in the newest generation of the Siemens systems and how they reverse-engineered the proprietary cryptographic protocol in the S7.
The scientists' rogue engineering workstation posed as a so-called TIA engineering station that interfaced with the Simatic S7-1500 PLC controlling the industrial system. "The station was able to remotely start and stop the PLC via the commandeered Siemens communications architecture, potentially wreaking havoc on an industrial process," Prof. Wool explains. "We were then able to wrest the controls from the TIA and surreptitiously download rogue command logic to the S7-1500 PLC."
The researchers hid the rogue code so that a process engineer could not see it. If the engineer were to examine the code from the PLC, he or she would see only the legitimate PLC source code, unaware of the malicious code running in the background and issuing rogue commands to the PLC.
The research combined deep-dive studies of the Siemens technology by teams at both the Technion and TAU.
Their findings demonstrate how a sophisticated attacker can abuse Siemens' newest generation of industrial controllers that were built with more advanced security features and supposedly more secure communication protocols.
Siemens doubled down on industrial control system (ICS) security in the aftermath of the Stuxnet attack in 2010, in which its controllers were targeted in a sophisticated attack that ultimately sabotaged centrifuges in the Natanz nuclear facility in Iran.
"This was a complex challenge because of the improvements that Siemens had introduced in newer versions of Simatic controllers," adds Prof. Biham. "Our success is linked to our vast experience in analyzing and securing controllers and integrating our in-depth knowledge into several areas: systems understanding, reverse engineering, and cryptography."
Dr. Bitan noted that the attack emphasizes the need for investment by both manufacturers and customers in the security of industrial control systems. "The attack shows that securing industrial control systems is a more difficult and challenging task than securing information systems," she concludes.
Following the best practices of responsible disclosure, the research findings were shared with Siemens well in advance of the scheduled Black Hat USA presentation, allowing the manufacturer to prepare.
Suggested Items
Real Time with... IPC APEX EXPO 2024: AI Implementation at Omron
04/18/2024 | Real Time with...IPC APEX EXPOEditor Nolan Johnson and Omron Product Manager Nick Fieldhouse discuss the company's focus on AI implementation to enhance customer experience and results. They address programming challenges and how AI can help customers achieve better outcomes with less experience. Omron's AI is compatible with existing systems, facilitating easy upgrades.
Cadence Unveils Palladium Z3 and Protium X3 Systems
04/18/2024 | Cadence Design SystemsThe Palladium Z3 and Protium X3 systems offer increased capacity, and scale from job sizes of 16 million gates up to 48 billion gates, so the largest SoCs can be tested as a whole rather than just partial models, ensuring proper functionality and performance.
Australian Flow Batteries and The SCHMID Group Announce Groundbreaking Memorandum of Understanding
04/17/2024 | SCHMID GroupAustralian Flow Batteries Pty Ltd (AFB), a leader in innovative energy solutions and economical, safe, and reliable power storage, and SCHMID Energy Systems GmbH a company of the German SCHMID Group, a global technology leader with a rich history in delivering innovative solutions across multiple industries including Electronics, Renewables, and Energy Storage sectors, are thrilled to announce the signing of a Memorandum of Understanding (MoU)
Ansys Joins BAE Systems’ Mission Advantage Program to Advance Digital Engineering Across US Department of Defense
04/16/2024 | ANSYSAnsys announced it is working with BAE Systems, Inc., to accelerate the adoption of digital engineering and MBSE across the Department of Defense (DoD).
Designing Electronics for High Thermal Loads
04/16/2024 | Akber Roy, Rush PCB Inc.Developing proactive thermal management strategies is important in the early stages of the PCB design cycle to minimize costly redesign iterations. Here, I delve into key aspects of electronic design that hold particular relevance for managing heat in electronic systems. Each of these considerations plays a pivotal role in enhancing the reliability and performance of the overall system.