Researchers find fault in secure computers
Cybersecurity researchers at Tel Aviv University and Haifa’s Technion-Israel Institute of Technology have discovered “critical vulnerabilities” in one of the world’s most secure programmable logic controllers (PLCs), an industrial digital computer used to run manufacturing processes.
Prof. Avishai Wool and Uriel Malin of Tel Aviv University partnered with Prof. Eli Biham and Dr. Sara Bitan of the Technion to disrupt and gain control of the Siemens S7 Simatic controller, the newest and most secure generation of PLCs developed by the German engineering conglomerate.
Adapted for a range of industrial automation tasks, PLCs are widely used to control machinery on assembly lines, ensure high reliability control and monitor input and output devices.
The researchers presented their findings at the Black Hat USA conference in Las Vegas last week, revealing the security weaknesses and how they reverse-engineered the proprietary cryptographic protocol in the S7.
The research was shared with Siemens in advance of the presentation, enabling the company to fix the vulnerabilities.
In order to seize control, the scientists’ rogue engineering workstation posed as a Siemens TIA (Totally Integrated Automation) Portal engineering framework to interface with the Simatic S7-1500 PLC controlling an industrial system.
“The station was able to remotely start and stop the PLC via the commandeered Siemens communications architecture, potentially wreaking havoc on an industrial process,” said Wool. “We were then able to wrest the controls from the TIA and surreptitiously download rogue command logic to the S7-1500 PLC.”
Researchers hid the malicious code so that the industrial process engineer could only identify the legitimate PLC source code, unaware of the rogue commands being issued to the PLC. Their findings, researchers added, demonstrated how sophisticated attackers can abuse the latest generation of industrial controllers, supposedly built with more secure communication protocols.
They were able to gain control despite significant resources invested by Siemens in industrial control system (ICS) security, after their PLCs controlling centrifuges at Iran’s Natanz uranium enrichment plant were damaged by a sophisticated Stuxnet virus attack in 2010.
“This was a complex challenge because of the improvements that Siemens had introduced in newer versions of Simatic controllers,” said Biham.
“Our success is linked to our vast experience in analyzing and securing controllers and integrating our in-depth knowledge into several areas: systems understanding, reverse engineering and cryptography.”