IDEAS home Printed from https://ideas.repec.org/a/eee/ijocip/v35y2021ics1874548221000573.html
   My bibliography  Save this article

Vulnerability analysis of S7 PLCs: Manipulating the security mechanism

Author

Listed:
  • Hui, Henry
  • McLaughlin, Kieran
  • Sezer, Sakir

Abstract

Programmable Logic Controllers (PLCs) are the point of interaction between the cyber and physical world, and thus have been the target of previous cyber-attacks that caused physical disruption. To understand the effectiveness of state-of-the-art security mechanisms built into these devices, this paper presents an in-depth analysis performed on the Siemens PLC environment, particularly the communication protocol known as S7CommPlus. This protocol enables communication between Siemens endpoints such as TIA Portal (the engineering software from the vendor), and PLCs like the S7–1211C, which has been used for experiments in the work. The analysis utilises the tools WinDbg and Scapy. The anti-replay mechanism, used in the protocol is investigated, including the identification of specific bytes necessary to craft valid network packets. Novel exploits, including the manipulation of cryptographic keys, are identified based on experimental analysis. Subsequently, exploits are demonstrated that enable the stealing of an existing communication session, denying the ability of an engineer to configure a PLC, making unauthorised changes to PLC states, and other potential violations of integrity and availability. The problems that lead to these exploits are also discussed and a number of potential mitigation strategies are proposed.

Suggested Citation

  • Hui, Henry & McLaughlin, Kieran & Sezer, Sakir, 2021. "Vulnerability analysis of S7 PLCs: Manipulating the security mechanism," International Journal of Critical Infrastructure Protection, Elsevier, vol. 35(C).
    • Handle: RePEc:eee:ijocip:v:35:y:2021:i:c:s1874548221000573
    DOI: 10.1016/j.ijcip.2021.100470
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S1874548221000573
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.ijcip.2021.100470?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Ghaleb, Asem & Zhioua, Sami & Almulhem, Ahmad, 2018. "On PLC network security," International Journal of Critical Infrastructure Protection, Elsevier, vol. 22(C), pages 62-69.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Robles-Durazno, Andres & Moradpoor, Naghmeh & McWhinnie, James & Russell, Gordon & Maneru-Marin, Inaki, 2019. "PLC memory attack detection and response in a clean water supply system," International Journal of Critical Infrastructure Protection, Elsevier, vol. 26(C).
    2. Luiz Fernando Ribas Monteiro & Yuri R. Rodrigues & A. C. Zambroni de Souza, 2023. "Cybersecurity in Cyber–Physical Power Systems," Energies, MDPI, vol. 16(12), pages 1-34, June.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:ijocip:v:35:y:2021:i:c:s1874548221000573. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/international-journal-of-critical-infrastructure-protection .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.