For Publishers
DiscoveryMetadataPeer reviewHostingPublishing
For Researchers
JoinPublishReviewCollect
Register
Blog
About
Search
Advanced search
My ScienceOpen
Search
For Publishers
For Researchers
Blog
About
6,592
views
15
references
 Top references
cited by
2
    
0 reviews
 Review
0
comments
 Comment
0
recommends
+1 Recommend
1 collections
    4
    shares
      34
      similar
       All similar

      UK Computing Summit 2025: Navigating change (surviving and beyond) - 29-30 April @ Sheffield Hallam University - Register here.

      scite_
       
      • Record: found
      • Abstract: found
      • Conference Proceedings: found
      Is Open Access

      Investigating Current PLC Security Issues Regarding Siemens S7 Communications and TIA Portal

      Published
      proceedings-article
      Author(s): 1 , 1
      Publication date (Print):
      Conference name: 5th International Symposium for ICS & SCADA Cyber Security Research 2018 (ICS-CSR 2018)
      Conference theme: ICS & SCADA Cyber Security Research
      Conference date: 29 - 30 August 2018
      Keywords: Programmable Logic Controllers, PLC, cyber security

            Abstract

            Programmable Logic Controllers (PLCs) are the essential components in many Industrial Control Systems that control physical processes. However, in recent years the security flaws of these devices have come under scrutiny, particularly since the widely discussed Stuxnet attack. To help the industry state-of-the-art to move forward and to provide information required to improve the security for these controllers, this work investigates potential exploits of the Siemens S7-1211C controllers and the Totally Integrated Automation (TIA) engineering software. Using Windbg and Scapy, the anti-replay mechanism of the Siemens proprietary communication protocol, S7CommPlus, and the Profinet Discovery and Basic Configuration Protocol are found to be vulnerable. Attacks like session stealing, phantom PLC, cross connecting controllers and denial of S7 connections are demonstrated. The lack of authentication and consequent exploitation of the S7-ACK packet, an application layer packet for the S7CommPlus protocol, is highlighted as a key issue in this investigation.

            Content

            Author and article information

            Contributors
            Henry Hui
            Kieran McLaughlin
            Conference
            Publication date: August 2018
            Publication date (Print): August 2018
            Pages: 67-73
            Affiliations
            [1 ]Centre for Secure Information Technologies (CSIT), Queen’s University Belfast
            Article
            DOI: 10.14236/ewic/ICS2018.8
            SO-VID: 26c45b9d-4e5a-45f6-be8a-5cd5dfc29b72
            Copyright © © Hui et al. Published by BCS Learning and Development Ltd. Proceedings of ICS & SCADA 2018
            License:

            This work is licensed under a Creative Commons Attribution 4.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/

            Conference name: 5th International Symposium for ICS & SCADA Cyber Security Research 2018
            Conference acronym: ICS-CSR 2018
            Conference number: 5
            Conference location: University of Hamburg, Germany
            Conference date: 29 - 30 August 2018
            Conference sponsor: Electronic Workshops in Computing (eWiC)
            Conference theme: ICS & SCADA Cyber Security Research
            History
            Product

            1477-9358 BCS Learning & Development

            Self URI (article page): https://www.scienceopen.com/hosted-document?doi=10.14236/ewic/ICS2018.8
            Self URI (journal page): https://ewic.bcs.org/
            Categories
            Series title: Electronic Workshops in Computing

            ScienceOpen disciplines: Applied computer science,Computer science,Security & Cryptology,Graphics & Multimedia design,General computer science,Human-computer-interaction
            Keywords: cyber security,PLC,Programmable Logic Controllers

            REFERENCES

            1. 2017 ‘The spear to break the security wall of S7CommPlus’ Defcon 25 Available at: http://media.defcon.org/DEFCON25/DEFCON25presentations/ChengLei/DEFCON-25-Cheng-Lei-The-Spear-to-Break-the-Security-Wall-of-S7CommPlus-WP.pdf

            2. 2017 ‘From System Specification to Anomaly Detection (and back)’ Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy - CPS ’17 New York, New York, USA ACM Press 13 24 10.1145/3140241.3140250

            3. Industry Support Siemens 2013 Announcement: Product Phase-Out for SIMATIC S7-200 - ID: 67598674 Available at: https://support.industry.siemens.com/cs/document/67598674/announcement%3A-product-phase-out-for-simatic-s7-200?dti=0&lc=en-WW 19 March 2018

            4. Information Technology Laboratory 2018 CVE-2017-12741, National Vulnerability Database Available at: https://nvd.nist.gov/vuln/detail/CVE-2017-12741

            5. International Electrotechnical Commission 2013 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages, International Standard Available at: https://webstore.iec.ch/publication/4552 5 February 2018

            6. 2016 ‘SENAMI: Selective Non-Invasive Active Monitoring for ICS Intrusion Detection’ Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy - CPS-SPC ’16 New York, New York, USA ACM Press 23 34 10.1145/2994487.2994496

            7. 2015 ‘Internet-facing PLCs as a network backdoor’ 2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015 524 532 10.1109/CNS.2015.7346865

            8. 2017 ‘Anomaly-Based Detection and Classification of Attacks in Cyber-Physical Systems’ Proceedings of the 12th International Conference on Availability, Reliability and Security - ARES ’17 New York, New York, USA ACM Press 1 6 10.1145/3098954.3103155

            9. 2017 ‘Attack Induced Common-Mode Failures on PLC-Based Safety System in a Nuclear Power Plant: Practical Experience Report’ 2017 IEEE 22nd Pacific Rim International Symposium on Dependable Computing (PRDC) IEEE 205 210 10.1109/PRDC.2017.34

            10. 2017 ‘A technique for bytecode decompilation of PLC program’ 2017 IEEE 2nd Advanced Information Technology, Electronic and Automation Control Conference (IAEAC) IEEE 252 257 10.1109/IAEAC.2017.8054016

            11. 2013 ‘PLC security and critical infrastructure protection’ 2013 IEEE 8th International Conference on Industrial and Information Systems IEEE 81 85. doi: 10.1109/ICIInfS.2013.6731959.

            12. 2016 ‘PLC-Blaster: A Worm Living Solely in the PLC’ Black Hat USA 2016 Available at: http://www.blackhat.com/docs/us-16/materials/us-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLCwp.pdf

            13. 2016 ‘PLC access control: a security analysis’ 2016 World Congress on Industrial Control Systems Security (WCICSS) IEEE 1 6 10.1109/WCICSS.2016.7882935

            Comments

            Comment on this article