PLCs from Siemens: The access level option

The access level option on Siemens PLCs

PLAN TO EXECUTE NATIVE CODE IN PLCS

Introduction to PLCs

Most advanced attackers do not achieve built-in code execution on industrial control systems such as programmable logic controllers (PLCs).

Siemens PLCs have more features and a rugged body. Also, PLC instructions are very easy and flexible in Siemens.

PLC input can be in the form of digital or analog signals. For example, limit switches, analog variables from process sensors (such as temperature and pressure), and other complex data.

PLC output can include audio-visual indicators, lamps, sirens, motors, relays, solenoids, analog outputs, and pneumatic or hydraulic cylinders.

The most common programming language is Ladder Diagram (LD).

PLCs store the data either in RAM or in some other form of non-volatile memory. The replacement of a bunch of relays with a single PLC is easy. There is no silver bullet when it comes to PLC alternatives.

The Siemens system has a huge product base, tens of thousands of available programmers, and a variety of hardware for many different situations.

For any particular project, you would need to do a detailed evaluation of the suitability of the hardware and the costs of purchase, development environment, and training. Both of them carry a long legacy of backward compatibility and there is a case for picking something new and novel and cheap if that suits your project.

You won’t get a good enough answer with this sort of question – just anecdote, prejudice, and similar low-value stuff. We can’t help you if we don’t know the application, timescales, and budgets. You don’t say if your choice of two is the result of a selection process already embarked upon. You need to establish your needs and do the hard work yourself.

Personally, I’d be looking at the available staff who will be doing the programming, and factoring in their existing experience quite hard.

PLCs can be classified into two broad categories:

• INTEGRATED
• MODULAR

PLC is the backbone of the revolution in the industry of automation. A robust controller which is easy to use and program as compared to other controllers like 8051, PIC. Highly flexible in terms of I/Os. All credit goes to Richard Morely who was the inventor of this awesome device.

As a result, an attacker cannot both execute the code of their choice and remain undetected. Claroty and Siemens have a long-term partnership, which not only encourages close collaboration between our research team and suppliers. As a result of the critical nature of this vulnerability, Siemens and Claroty urge users to apply the patches to S7-1200 and S7-1500 CPUs as well as other affected products.

Former job

According to attackers, achieving unrestricted and undefined code execution is the holy grail of PLC vulnerability research.

Considering Siemens’ position as a market leader, we have seen numerous attempts to achieve this capability in Siemens PLCs in recent years. Stuxnet was our first experience with user-level code execution on SIMATIC S7-300s and S7-400s.

By manipulating WinCC binaries at the local engineering station, Stuxnet was able to hide the code change in the PLC. As a result, the malware was able not only to hide inside PLCs. But also prevent WinCC from reading the infected memory blocks.

Microsoft Windows updates and Siemens software updates resolved the issue as documented by SSA-110665 and SSA-027884.

Rogue7 then launched an attack. Scientists at Rogue7 have created a rogue engineering station. That can pretend to be a TIA portal and insert messages to their benefit.

Engineers at TIA understood cryptographic messages. According to SSA-232418, Siemens has partially resolved and mitigated this issue.

In the same year, Tobias Scharnowski and Ali Abbas demonstrated physical attacks on the SIMATIC 1200. To execute code on the Siemens S7 PLC.

To empty the firmware, they used a physical connection to the UART and stumbled upon an exploit chain. That enabled them to hide the code deeper within the system and then execute it without restriction. The SSA-686531 solves this problem for Siemens.

Taking this research a step further, we demonstrate an advanced remote attack. An attack that will allow us to execute source code on Siemens S7 PLCs. We target deep into the kernel and avoid detection. Shellcode protects the user’s memory after leaving the user’s sandbox.

thebadbox

Siemens PLCs are vulnerable to an exploitable vulnerability

Siemens’ programmable logic controllers (PLCs) may be vulnerable to hacking by remote and unauthenticated attackers.

The CVE-2020-15782 vulnerability allows an attacker to read or write data to protected memory areas. If they have access to TCP port 102.

Siemens claims that the security hole affects its SIMATIC S7-1200 and S7-1500 processors. For some of the affected devices, the German industrial giant has released firmware updates. While providing solutions for other products that still lack patches.

According to the ITIC study, there are the top 7 causes of IT outages.

Researchers at the company have demonstrated how an attacker could bypass protection and write shellcode directly to protected memory. Researchers say attacks exploiting this vulnerability would be hard to detect.

vulnerabilities

A leak from the sandbox implies that an attacker could read and write from anywhere on the PLC. And also repair existing virtual machine operating code in memory with malicious code to root the device.

Claroty, for example, was able to embed ARM / MIPS shellcode directly into the internal structure of the operating system. So that, when the operating system used the specific operating code we chose. Then, our malicious shellcode would run, allowing us to remotely execute the code. Using this method, we were able to hide some features of a kernel-level program from the operating system.

Hackers may be able to remotely crash Siemens PLCs due to new vulnerabilities

In February, Siemens announced the availability of patches and mitigations for several serious vulnerabilities.

The German industrial giant addressed a total of 27 vulnerabilities. Some Siemens programmable logic controllers (PLCs) and related products are vulnerable to denial of service (DoS) attacks. Those attacks owing to three very serious shortcomings.

They are CVE-2021-37185, CVE-2021-37204, and CVE-2021-37205. After successfully exploiting the vulnerability, to return the device to normal operation. Restart the device.

Taking down a PLC in a real industrial setting has significant impacts and disruptions.

This includes

• SIMATIC S7-1200 and
• S7-1500 PLCs,
• SIMATIC Drive Controllers,
• ET 200SP Open Controllers,
• SIMATIC S7-1500 Software Controllers,
• TIM 1531 IRC communication modules, as well as
• SIPLUS extreme products.

SecurityWeek reports that Gao Jian, an independent ICS security researcher who Siemens credits with reporting the vulnerability. Reported eight vulnerabilities to the vendor. The investigation of others is ongoing. Siemens products contain a communication protocol stack called OMS +, which he called S7 +: Crash.

You can protect Siemens PLCs against unauthorized operations by activating the access level option and setting a password.

Among Siemens PLCs, I find the indirect addressing concept to be the best option. You can identify variables in Siemens using either a name or an address.

Documents for every device and concept are available in Siemens. Even if you are a rookie programmer, learning about Siemens PLCs is not that difficult.

Siemens PLCs have an option called multi-instance calling.

This reduces the overall size and complexity of an application.

Bit and Word addresses can overlap in Siemens PLCs (Developer has to be really careful though, as this can lead to bugs). This reduces the size of the application.

Communication with slave devices is relatively easy in Siemens. It supports a wide range of communication protocols. Such as Profinet (a variation of industrial Ethernet), Profibus, Mod bus, USS, MPI, and RS 232.

Process diagnostics, alarm generation options are present in Siemens PLCs. Onsite troubleshooting of Siemens PLCs is relatively easy.

What makes PLC programming confusing is that there are five different programming languages to achieve the same thing:

• Structured Text (ST)
• Instruction List (LT)
• Ladder Diagram
• Function Block Diagram (FBD)
• Sequential Function Chart (SFC)

With the exception of ST, these are quite different from normal programming languages.

Siemens is different from Allen-Bradley which is different from Schneider and so on.

Having said all of that, PLC is actually quite easy once you get into it. It’s basically just boolean logic and sequencing on/off bits together in a coherent fashion. A typical bug in a PLC program is a TRUE value which should have been FALSE or vice versa.

The best way to handle PLC programming and network downtime challenges is to start learning the basics. Start panning the network security access levels in a better manner.

To learn one, you can just take the help of a trained engineer.

It is also possible to exploit a PLC via the internet if it has a misconfiguration.

There is currently no firewall capable of parsing the S7CommPlus_TLS protocol. Making it very difficult to prevent attacks using SIMATIC products with secure access and secure communication (TLS encryption).