Vulnerability analysis of S7 PLCs: Manipulating the security mechanism

Abstract Programmable Logic Controllers (PLCs) are the point of interaction between the cyber and physical world, and thus have been the target of previous cyber-attacks that caused physical disruption. To understand the effectiveness of state-of-the-art security mechanisms built into these devices, this paper presents an in-depth analysis performed on the Siemens PLC environment, particularly the communication protocol known as S7CommPlus. This protocol enables communication between Siemens endpoints such as TIA Portal (the engineering software from the vendor), and PLCs like the S7–1211C, which has been used for experiments in the work. The analysis utilises the tools WinDbg and Scapy. The anti-replay mechanism, used in the protocol is investigated, including the identification of specific bytes necessary to craft valid network packets. Novel exploits, including the manipulation of cryptographic keys, are identified based on experimental analysis. Subsequently, exploits are demonstrated that enable the stealing of an existing communication session, denying the ability of an engineer to configure a PLC, making unauthorised changes to PLC states, and other potential violations of integrity and availability. The problems that lead to these exploits are also discussed and a number of potential mitigation strategies are proposed.

[1]  Leandros A. Maglaras,et al.  A Cybersecurity Detection Framework for Supervisory Control and Data Acquisition Systems , 2016, IEEE Transactions on Industrial Informatics.

[2]  Kieran McLaughlin,et al.  Investigating Current PLC Security Issues Regarding Siemens S7 Communications and TIA Portal , 2018 .

[3]  Ravishankar K. Iyer,et al.  Attack Induced Common-Mode Failures on PLC-Based Safety System in a Nuclear Power Plant: Practical Experience Report , 2017, 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing (PRDC).

[4]  Sami Zhioua,et al.  On PLC network security , 2018, Int. J. Crit. Infrastructure Prot..

[5]  PonomarevStanislav,et al.  Industrial Control System Network Intrusion Detection by Telemetry Analysis , 2016 .

[6]  Vladimir A. Oleshchuk,et al.  PLC security and critical infrastructure protection , 2013, 2013 IEEE 8th International Conference on Industrial and Information Systems.

[7]  Marco Caccamo,et al.  S3A: secure system simplex architecture for enhanced security and robustness of cyber-physical systems , 2013, HiCoNS '13.

[8]  Lui Sha,et al.  S3A: Secure System Simplex Architecture for Enhanced Security of Cyber-Physical Systems , 2012, ArXiv.

[9]  Jeongyeup Paek,et al.  Neutralizing BLE Beacon-Based Electronic Attendance System Using Signal Imitation Attack , 2018, IEEE Access.

[10]  Marshall T. Rose,et al.  ISO Transport Service on top of the TCP Version: 3 , 1987, RFC.

[11]  Daesung Kwon,et al.  Security Weakness in the Smart Grid Key Distribution Scheme Proposed by Xia and Wang , 2013, IEEE Transactions on Smart Grid.

[12]  Sylvain Frey,et al.  SENAMI: Selective Non-Invasive Active Monitoring for ICS Intrusion Detection , 2016, CPS-SPC '16.

[13]  Saman A. Zonouz,et al.  A Trusted Safety Verifier for Process Controller Code , 2014, NDSS.

[14]  Stefano Panzieri,et al.  Improving network security monitoring for industrial control systems , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[15]  Paul Tavolato,et al.  Anomaly-Based Detection and Classification of Attacks in Cyber-Physical Systems , 2017, ARES.

[16]  Volker Roth,et al.  Internet-facing PLCs as a network backdoor , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[17]  Stephen E. McLaughlin CPS: stateful policy enforcement for control system device usage , 2013, ACSAC.

[18]  Kyung-Joon Park,et al.  Empirical Analysis of MAVLink Protocol Vulnerability for Attacking Unmanned Aerial Vehicles , 2018, IEEE Access.

[19]  Juan J. Fuertes-Martínez,et al.  Comparative analysis of the security of configuration protocols for industrial control devices , 2017, Int. J. Crit. Infrastructure Prot..

[20]  Sami Zhioua,et al.  PLC access control: a security analysis , 2016, 2016 World Congress on Industrial Control Systems Security (WCICSS).

[21]  Lu Ren,et al.  A technique for bytecode decompilation of PLC program , 2017, 2017 IEEE 2nd Advanced Information Technology, Electronic and Automation Control Conference (IAEAC).

[22]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.