Researchers from the Technion–Israel Institute of Technology and Tel Aviv University, in collaboration with the Israel National Cyber Directorate, have managed to take control of a Siemens programmable logic controller (PLC), which is considered to be one of the safest controllers in the world. They will present the attack at the Black Hat Conference in Las Vegas this morning (August 8).
A version of the team’s research paper was sent in advance to Siemens so that it could fix the vulnerabilities found.
The attack was led by Professor Eli Biham, the head of the Hiroshi Fujiwara Cyber Security Research Center at the Technion and Dr. Sara Bitan, from the Technion’s Faculty of Computer Science, and Professor Avishai Wool of the School of Electrical Engineering at Tel Aviv University, together with the students Aviad Carmel, Alon Dankner and Uriel Malin.
As part of the attack, the researchers analyzed and identified the code elements of the Siemens proprietary cryptographic protocol, and on the basis of their analysis, created a fake engineering station, an alternative to Siemens’ official station. The fake engineering station was able to command the controller according to the will of the attackers. They were able to turn the controller on and off, download rogue command logic according to their wishes, and change the operation and source codes. They also succeeded in creating a situation in which the engineer operating the controller did not recognize their “hostile intervention.”
The research leading to the attack focused on Siemens S7 Simatic systems, a series of programmable logic controllers. PLCs are currently used in a wide spectrum of operations that include critical infrastructures such as power stations, water pumps, building controls, production lines, lighting systems, vehicles, aircraft, automatic irrigation, and smart homes. Their main goal is automatic process control that optimally responds to environmental conditions and changes. The controllers receive instructions from a computer and operate the relevant terminal equipment for the operator: sensors, motors, traffic lights, and more.
The new generations of the Simatic S7 family are considered safer and more protected than their predecessors, mainly due to improvements in the quality of encryption. Therefore, attacks on them constitute a complex challenge that requires extensive knowledge in various fields.
Since Siemens does not publish the protocol of operation of the controllers, the researchers recreated the protocol through reverse-engineering. According to Prof. Wool, this part of “detective work” took many months.
After the protocol was reconstructed, the researchers went on to map the security and encryption systems of the controller and detect weaknesses in these systems. Indeed, they were able to determine common keys with the controller and through them impersonate a legitimate engineering station from the point of view of the controller.
All this allowed them to load the controller malware despite the cryptographic security inherent in the systems. According to Prof. Biham, “this was a complex challenge because of the improvements that Siemens introduced in newer versions of Simatic controllers. Our success is linked to our vast experience in the study of controllers and their security and in combination with our in-depth knowledge in several areas – systems understanding, reverse engineering capabilities, communications protocol analysis, and cryptographic analysis.”
Dr. Bitan noted that the attack underscores the need for investment by both manufacturers and customers in securing industrial control systems. According to her, the attack shows that securing industrial control systems is a more difficult and challenging task than securing information systems.
Mr. Malin and Dr. Bitan will present the research at Black Hat in Las Vegas, from 11:00–11:50 a.m. on Thursday, August 8.
For more than a century, the Technion–Israel Institute of Technology has pioneered in science and technology education and delivered world-changing impact. Proudly a global university, the Technion has long leveraged boundary-crossing collaborations to advance breakthrough research and technologies. Now with a presence in three countries, the Technion will prepare the next generation of global innovators. Technion people, ideas, and inventions make immeasurable contributions to the world, innovating in fields from cancer research and sustainable energy to quantum computing and computer science to do good around the world.
The American Technion Society supports visionary education and world-changing impact through the Technion–Israel Institute of Technology. Based in New York City, we represent thousands of US donors, alumni, and stakeholders who invest in the Technion’s growth and innovation to advance critical research and technologies that serve the State of Israel and the global good. Over more than 75 years, our nationwide supporter network has funded new Technion scholarships, research, labs, and facilities that have helped deliver world-changing contributions and extend Technion education to campuses in three countries.