Abstract

In a series of papers, we studied the security of Siemens PLC systems. We first showed that it is possible to fakely and stealthily download any control program into Siemens PLCs, bypassing cryptographic protections (with a variant of HMAC -SHA256 under a supposedly secret key). We could even download a fake executable unrelated to the downloaded source program, thus disabling the ability of the PLC engineers to identify the fake program even if they suspect the PLC behaviour. Following Siemens recommendations to protect against these attacks by using passwords, we studied the passwords schemes and found various vulnerabilities in some versions of the PLCs. A major protection step made by Siemens was to use TLS instead of the Siemens home-grown cryptographic protection. This change seems a good practice in general, but have several weaknesses. One is the long upgrade cycle of firmware in PLCs once a vulnerability is found, which makes any standard (complex) IT software installed on the PLC a security threat. Moreover, we show that the TLS protection allows attacker to perform new strong attacks which were not possible in the home-grown cryptographic version. Last but not least, in a recent openPLC product Siemens use Intel processors that run the (encrypted) PLC firmware and Windows OS on different cores of the same processor, under an hypervisor. Unfortunately, nothing prohibits an attacker to run his own fake version of the PLC firmware. We conclude that the whole security ecosystem and security assumptions of PLCs should be revisited – the currently existing protection schemes do not address the real threats on PLCs. In another work we proposed a framework for a cryptographic protection of PLC communications.