In August, 2019, a team of “ethical hackers” succeeded in gaining control of one of the world’s most secure industrial programmable logic controllers (PLC), the Siemens Simatic S7 Controller, and presented their findings at the renowned U.S. “Black Hat” conference.
The ethical hackers were a team from the Technion–Israel Institute of Technology and Tel Aviv University, in collaboration with Israel National Cyber Directorate, led by Professor Eli Biham, the head of the Hiroshi Fujiwara Cyber Security Research Center at the Technion and Dr. Sara
Bitan, from the Technion’s Faculty of Computer Science, and Professor Avishai Wool of the School of Electrical Engineering at Tel Aviv University, together with the students Aviad Carmel, Alon Dankner and Uriel Malin.
The team successfully gained full control of the advanced Siemens S7 Simatic System, analyzed and identified the code of Siemens protocol, created a fake alternative engineering station, commanded the controller at will, turned the controller on and off, downloaded rogue command logic, changed the operation and source codes, all while succeeding to create a situation in which the engineer operating the controller did not recognize their “hostile intervention.”
Since Siemens does not publish the protocol of operation of the controllers, the researchers recreated the protocol through reverse-engineering. According to Prof. Wool, this part of “detective work” took many months.
The main goal of the Siemens S7 Simatic controller, a series of programmable logic controllers, is automatic process control that optimally responds to environmental conditions and changes. The controllers receive instructions from a computer and operate the relevant terminal equipment for the operator: sensors, motors, traffic lights, and more.
The new generations of the Simatic S7 family are considered safer and more protected than their predecessors, mainly due to improvements in the quality of encryption. Therefore, attacks on them constitute a complex challenge that requires extensive knowledge in various fields.
After the protocol was reconstructed, the researchers went on to map the security and encryption systems of the controller and detect weaknesses in these systems. Indeed, they were able to determine common keys with the controller and through them impersonate a legitimate engineering station from the point of view of the controller.
All this allowed them to load the controller malware despite the cryptographic security inherent in the systems. According to Prof. Biham, “this was a complex challenge because of the improvements that Siemens introduced in newer versions of Simatic controllers. Our success is linked to our vast experience in the study of controllers and their security and in combination with our in-depth knowledge in several areas – systems understanding, reverse engineering capabilities, communications protocol analysis, and cryptographic analysis.”
Dr. Bitan noted that the attack underscores the need for investment by both manufacturers and customers in securing industrial control systems. According to her, the attack shows that securing industrial control systems is a more difficult and challenging task than securing information systems.
Source: Technion Institute of Technology
Contact us for information on SIGA’s un-hackable solution.