A Decade After Stuxnet: How Siemens S7 is Still an Attacker's Heaven

Industrial Control Systems have long evolved from specialized electronics communicating over proprietary bus systems to fully-fledged embedded computers based on commodity Ethernet connections. The Stuxnet computer worm of 2010 demonstrated to the general public that this development makes Industrial Control Systems susceptible to cyberattacks with physical consequences. Siemens as the vendor of the affected Programmable Logic Controllers (PLCs) has released multiple new products since then, which double down on Ethernet connectivity in company networks and are expected to conform to higher security standards.

Tom Dohrmann and me have been researching Siemens PLCs at ENLYZE for the past 5 years and presented some of our findings at last year’s Black Hat Europe 2023. A few weeks ago, the recording has been released to the general public, so we can now finally write about it.

In our presentation, we reverse-engineer the Siemens S7-1500 Software Controller PLC up to the communication protocol and show the violation of fundamental security principles. We show that substantial efforts have been put into obfuscating communication and modifying established cryptography primitives without increasing the effective security level.

Along the way, we have released a few tools to help with reverse-engineering that particular PLC firmware. Unlike previous publications on this topic, we put an emphasis on providing sufficient details to enable other people to reproduce our research and build upon it. To that end, the S7-1500 Software Controller has been chosen, because it resembles the widespread S7-1500 hardware PLC series while being a software-only PLC, making it very accessible to the broader research community.

Without further ado, here comes the recording of our presentation:

We have also published a 20-page whitepaper including the technical details and a PDF of our presentation slides:

We would again like to thank Alexander Gladis, Manuel ‘HonkHase’ Atug, the German Federal Office for Information Security (BSI), and Siemens for reviewing our whitepaper and providing valuable feedback, especially on the legal and ethical considerations of our work.

We expected backlash from Siemens, but, surprisingly, the people at Siemens ProductCERT were very welcoming and provided constructive and helpful feedback along the way. We even made it to their Hall of Thanks :)

It’s still too early to say that the automation industry has changed. But some companies are definitely on the right track towards openness. And this is the only way how we can ever improve the state of PLC security.