A team of Israeli researchers demonstrated that it is possible to take control of the Simatic S7 controller without the knowledge of the operators.
The team was composed of researchers from the Cyber Centers at the Technion and Tel Aviv University and experts from the National Cyber Arrangement.
Among the prominent experts involved in the research there is the head of the Cyber Security Research Center at the Technion, Prof. Eli Boehm and Dr. Sarah Bitan of the Technion’s Faculty of Computer Science, Prof. Avishay Wall of the School of Electrical Engineering at Tel Aviv University, and the students Aviad Carmel, Alon Dankner and Uriel Malin.
The Siemens S7 is considered one of the most secure controllers in the industry, it is used in power plants, traffic lights, water pumps, building control, production
“[The experts were able to] to turn off and turn on the controller, load various control logic into it, and change the activation code and source code.” reads a post published on the TechTimes. “They also succeeded in creating a situation where cattle operators cannot identify the “hostile intervention” performed
The researchers reported their finding to Siemens and presented the attack technique (dubbed “Rogue7” ) at the Black Hat security conference held in Las Vegas last week.
The experts focused their study on the safety of Siemens Simatic S7 industrial controllers. Siemens S7 devices are connected to a computer, that sends them the commands, and manage multiple devices such as sensors and motors.
The team has made a reverse-engineering the communication protocol implemented by Siemens, then developed a rogue engineering workstation that mimicked the TIA Portal, and was able to send commands to the controller.
The attack scenario sees hackers, with access to the network and the PLC of the target organization, setting up a fake workstation.
The experts successfully tested their attack on Siemens S7 1500 PLC.
Further details on the “Rogue7” attack are reported in a research paper published by the experts.
“The attack also shows that securing industrial control systems is a more difficult and challenging task than securing information systems.” explained Dr.