Malicious actors could use rogue engineering workstations to take control of Siemens programmable logic controllers (PLCs), and they can hide the attack from the engineer monitoring the system, researchers from two universities in Israel have demonstrated.
Researchers from Technion and Tel-Aviv University have reverse-engineered the S7 network protocol used for communications between Siemens’ SIMATIC S7 PLC and the TIA Portal (WinCC) software, which acts as the engineering workstation and can also serve as a human-machine interface (HMI).
In recent years, Siemens was reported to have a share of over 30% in the global PLC market — more than any other vendor — so these controllers are likely to be targeted by threat actors trying to cause disruptions in industrial environments, as demonstrated by the 2010 Stuxnet attack on an Iranian nuclear facility.
Several serious vulnerabilities affecting Siemens PLCs have been disclosed in recent years, and researchers have demonstrated some potentially damaging attacks.
The most recent versions of the S7 protocol used by Siemens controllers do include some defense mechanisms, including cryptographic message integrity checks that should protect communications from malicious tampering.
However, after reverse-engineering the protocol, the researchers from Israel managed to develop a rogue engineering workstation that mimicked the TIA Portal, allowing it to interact with the PLC. Such a rogue workstation can be set up by an attacker who has access to the targeted organization’s network and the PLC.
The experts have demonstrated that a rogue engineering workstation can send commands to an S7 ..
Support the originator by clicking the read the rest link below.
