Researchers from the Technion–Israel Institute of Technology and Tel Aviv University, in collaboration with Israel National Cyber Directorate have managed to take control of a Siemens Programmable Logic Controller (PLC), considered to be one of the safest controllers of automated industrial operations in the world.
PLCs are currently used in a wide spectrum of operations that include critical infrastructures such as power stations, water pumps, building controls, production lines, lighting systems, vehicles, aircraft, automatic irrigation, and smart homes. The main goal is make controls automatic, responding to environmental conditions and changes. The controller receives instructions from a computer and operates the relevant terminal equipment for the operator, including sensors, motors and traffic lights.
In their research, the scientists focused on Siemens S7 Simatic systems, a series of PLCs. As part of the “attack” they devised, the researchers analyzed and identified the code elements of the Siemens cryptographic protocol, and then created a fake engineering station, an alternative to the Siemens official station.
The fake engineering station was then able to command the controller according to the will of the hackers. They were able to turn the controller on and off, download rogue command logic according to their wishes, and change the operation and source codes. They also succeeded in creating a situation in which the engineer operating the controller did not recognize their “hostile intervention.”
Details of the attack will be presented on Thursday at the Black Hat Conference in Las Vegas.
The attack was led by Prof. Eli Biham, the head of the Hiroshi Fujiwara Cyber Security Research Center at the Technion and Dr. Sara Bitan, from the Technion’s Faculty of Computer Science, and Professor Avishai Wool of the School of Electrical Engineering at Tel Aviv University, together with students Aviad Carmel, Alon Dankner and Uriel Malin.
A version of the paper was sent in advance to Siemens so that it could fix the vulnerabilities found, the Technion said in an emailed statement.
“Siemens is aware of the research from Technion, Haifa and Tel-Aviv University to be presented at BlackHat USA 2019,” Siemens said in an emailed statement to The Times of Israel.
In response, the firm recommended that users of the controller SIMATIC S7-1200/S7-1500 enable the feature “access protection” to prohibit unauthorized modifications of the devices. Siemens also recommended to follow and implement the defense-in-depth approach for plant operations, and to configure the environment according to its operational guidelines for Industrial Security.
The new generation of the Simatic S7 family is considered safer and more protected than its predecessors, mainly due to improvements in the quality of encryption. Therefore, attacks on it constitute a complex challenge that requires extensive knowledge in various fields, the statement said.
Since Siemens does not publish the protocol of operation of the controllers, the researchers recreated the protocol through reverse-engineering. According to Tel Aviv University’s Prof. Wool, this part of “detective work” took many months.
After the protocol was reconstructed, the researchers went on to map the security and encryption systems of the controller and detect weaknesses in these systems. They were able to determine common keys with the controller and through them impersonate a legitimate engineering station from the point of view of the controller.
The attack underscores “the need for investment by both manufacturers and customers in securing industrial control systems,” the statement said. The attack shows that securing industrial control systems is a more difficult and challenging task than securing information systems.