Open AccessInvestigating Current PLC Security Issues Regarding Siemens S7 Communications and TIA Portal
Author(s) -
Henry Hui,
Kieran McLaughlin
Publication year - 2018
Publication title -
electronic workshops in computing
Language(s) - English
Resource type - Conference proceedings
ISSN - 1477-9358
DOI - 10.14236/ewic/ics2018.8
Subject(s) - siemens , computer science , embedded system , protocol stack , protocol (science) , computer security , session (web analytics) , industrial control system , scada , communications protocol , software , computer network , operating system , control (management) , engineering , medicine , alternative medicine , wireless sensor network , pathology , artificial intelligence , world wide web , electrical engineering
Programmable Logic Controllers (PLCs) are the essential components in many Industrial Control Systems that control physical processes. However, in recent years the security flaws of these devices have come under scrutiny, particularly since the widely discussed Stuxnet attack. To help the industry state-of-the-art to move forward and to provide information required to improve the security for these controllers, this work investigates potential exploits of the Siemens S7-1211C controllers and the Totally Integrated Automation (TIA) engineering software. Using Windbg and Scapy, the anti-replay mechanism of the Siemens proprietary communication protocol, S7CommPlus, and the Profinet Discovery and Basic Configuration Protocol are found to be vulnerable. Attacks like session stealing, phantom PLC, cross connecting controllers and denial of S7 connections are demonstrated. The lack of authentication and consequent exploitation of the S7-ACK packet, an application layer packet for the S7CommPlus protocol, is highlighted as a key issue in this investigation.
Accelerating Research
Robert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom
Address
John Eccles HouseRobert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom