Researchers Poke Holes in Siemens Simatic S7 PLCs

These things are used widely in industrial control systems so it’s vitally important that they are protected. I’ve worked on deception projects to intercept attempts to compromise PLCs, looks like this is going to be a vital layer of defence…:

A group of security researchers in Israel has discovered vulnerabilities in the Siemens S7 Simatic architecture that ultimately allowed them to build a phony engineering workstation that was able to dupe — and alter — operations of the S7 programmable logic controller (PLC) that runs industrial processes.

Eli Biham and Sara Bitan of Technion, and Avishai Wool and Uriel Malin of Tel Aviv University, at Black Hat USA next month in Las Vegas will reveal security weaknesses they found in the newest generation of the Siemens systems and how they reverse-engineered the proprietary cryptographic protocol in the S7.

Their rogue engineering workstation poses as the so-called TIA engineering station that operates with the Simatic S7-1500 PLC, which in turn interfaces with and runs the industrial system or process. It can remotely start and stop the PLC via the newly found flaws in the Siemens communications architecture, potentially wreaking havoc on an industrial system or process, according to the researchers. They were able to wrest those controls from the PLC by surreptitiously downloading rogue command logic to the S7 PLC.

[…]

Original article here