The Siemens industrial control systems architecture consists of Simatic S7 PLCs which communicate with a TIA engineering station and SCADA HMI on one side, and control industrial systems on the other side. The newer versions of the architecture are claimed to be secure against sophisticated attackers, since they use advanced cryptographic primitives and protocols. In this paper we show that even the latest versions of the devices and protocols are still vulnerable.
After reverse-engineering the cryptographic protocol, we are able to create a rogue engineering station which can masquerade as the TIA to the PLC and inject any messages favourable to the attacker. As a first example we extend attacks that can remotely start or stop the PLC to the latest S7-1500 PLCs. Our main attack can download control logic of the attacker's choice to a remote PLC. Our strongest attack can separately modify the running code and the source code, which are both downloaded to the PLC. This allows us to modify the control logic of the PLC while retaining the source code the PLC presents to the engineering station. Thus, we can create a situation where the PLC's functionality is different from the control logic visible to the engineer.
Uriel Malin has been attracted to software security research since he was a child. As a teenager, Uriel hacked many security challenges and publicized an IAT Hooking technique in DigitalWhisper (an Israeli security magazine). During his work as a security researcher over the past 8 years, Uriel analyzed, reverse engineered and executed code on many applications, platforms and architectures, and held various positions, including leading a research team. Uriel is enthusiastic about research and took part in 35C3 CTF with team Pasten. Today Uriel works as a security researcher for Medigate. Uriel has a B.Sc in computer science from the Jerusalem College of Technology, and he is finishing his M.Sc. thesis in computer science at Tel Aviv University, advised by Prof. Avishai Wool. In his spare time, Uriel is also a father to two amazing children.
Sara Bitan is a senior researcher at the Technion Hiroshi Fujiwara Cyber Security Research Center. Her research interests include security of embedded system, including PLCs, vehicle ECUs, and trusted execution environments. Sara has over 20 years of experience in the cyber-security industry. She was the V.P. Research and development of a network security startup, and worked as a security architect at Microsoft. Sara is a co-founder of CyCloak, that provides advanced cyber-security solutions. Sara has B.A., M.Sc., and Ph.D. from the computer science faculty in the Technion in Haifa Israel.
Prof. Avishai Wool is a professor in the School of Electrical Engineering at Tel Aviv University. He is also deputy-director of the Interdisciplinary Cyber Research Center at TAU. He received a B.Sc. in Mathematics and Computer Science with honors from Tel Aviv University (1989). He has a M.Sc. (1992) and a Ph.D. (1997), both in Computer Science from the Weizmann Institute of Science. His research interests include computer, network, and wireless security, SCADA systems, smart-card and RFID systems, sidechannel cryptanalysis, and firewall technology. Prior to joining Tel Aviv University, Prof. Wool spent four years as a Member of Technical Staff at Bell Laboratories, Murray Hill, NJ, USA. In 2000 he co-founded Lumeta Corp. In 2003 he co-founded AlgoSec Systems, a network security company, for which he continues to serve as Chief Technical Officer. He has published more than 110 research papers and holds 15 US Patents. He advised 3 Ph.D. and 35 M.Sc. students, and has served on the program committee of the leading IEEE and ACM conferences on computer and network security.
Prof. Eli Biham received his B.Sc. in Mathematics and Computer Science at the Tel Aviv University (cum laude), 1982, and his Ph.D. from the Weizmann Institute, 1991. His Ph.D. thesis developed Differential Cryptanalysis, the first cryptanalysis method that could break the Data Encryption standard (DES), and the first general cryptanalysis method that was applicable to a large family of block ciphers. Since 1991 he is a faculty member at the Technion's faculty of Computer Science. He (together with his students and colleagues) developed various methods for analysis of various kinds of ciphers. The most known of them are DES, and the cipher of the GSM cellular phone system (A5) - which proved that it is easy to listen in to any GSM (voice or data) conversation, and even to fake such calls as if originated from somebody else's phone. He also developed new ciphers, the most known of them is Serpent, which was a leading candidate to become the Advanced Encryption Standard (AES) - the successor of DES. Eli Biham is the founding head of the Technion Hiroshi Fujiwara cyber security research center. He served in dozens of program committees, as the program and general chair of the FSE 1997 workshop, and as program chair of EUROCRYPT 2003 and SAC 2006. He was also an editor of the journal of cryptology and a director in the International Association for Cryptologic Research (IACR). Between 2008 and 2013 he served as the dean of the faculty of computer science. Since 2012 he is an IACR fellow. He received the RSA award 2012, and holds the position of IACR distinguished lecturer 2013.