Security researchers have successfully built a "rogue" TIA engineering station, giving them the ability to control Siemens S7-1500 Programmable Logic Controllers (PLC). As presented today in a talk in BlackHat, the researchers managed to bypass the cryptographic mechanism in the newest generation of Siemens PLCs and perform engineering commands on the device. This capability allows an attacker to change the state of the PLC, its configuration, and most importantly - change the logic it executes without any indication to the engineer.
Siemens’ newS7-1200/1500 models have changed the protocol used by the PLC. In the old models, S7-300/400, the protocol was based on a proprietary protocol called S7comm. The S7comm protocol became very popular following the Stuxnet release and consequently became partly open and many tools today have the capability to dissect the traffic.
In the latest models, S7-1200/1500, Siemens developed a new protocol that enables integrity validation of the packets to protect against replay attacks. In addition, Siemens has provided encryption mechanisms to protect the configuration exchange (upload/download) encrypting the compiled code used by the PLC.
Configuration Download Process
The process for changing the configuration of the PLC is comprised of several steps. First, the engineer writes the logic as a Ladder Diagram, or Structured Text. Then the code is compiled by the engineering station. The next step is that the TIA software encrypts the compiled code, using a specific key, provided by the PLC. Then the compiled encrypted binary is download, alongside the original clear-text code. The PLC then decrypts the binary code and executes it.
The flow described above has an inherent flaw in which clear-text code is downloaded separately from the compiled binary. The code presented to the engineer in the TIA software is the clear-text one, so it does not necessarily match the compiled code that is actually executed. As a result, an attacker can alter the compiled binary code to the PLC, without changing the original clear-text code. The result would be that an attacker can alter the real time code running on the plc without the engineer having any ability to detect that a change was made rendering them blind and defenseless.
Claroty CTD Detection
Claroty CTD supported the new generation S7CommPlus protocol since its early versions. This support allows CTD to monitor any communication over the S7CommPlus protocol and detect any engineering actions being performed by passively monitoring the communication on the wire. In addition, CTD is able to analyze any configuration changes and extract the clear-text code, as well as the encrypted binary code that is downloaded to a PLC.
Based on this, CTD is able to track the configuration being done on a specific PLC, compare subsequent configuration changes, and detect whether the logic of a specific function block was changed. As can be seen in the image below, even though the code is encrypted, any legitimate configuration change also involves a change in the clear-text code and the configuration meta-data.
Based on CTD’s in-depth knowledge of the S7CommPlus protocol and the Siemens configuration download flow, CTD code analysis is able to verify a configuration change and validate that both the binary and clear-text parts were changed coherently. In the cases of a malicious change, such as the attack described in the BlackHat talk that only changed the binary code, CTD can specifically detect that the configuration was changed in a suspicious way.