LAS VEGAS – BLACK HAT 2022 – A team of researchers from the Technion research university in Israel is conducting an analysis of Siemens software controllers and they are gradually identifying security issues.
The researchers have analyzed a PC-based programmable logic controller (PLC) — or SoftPLC — from Siemens. The SIMATIC S7-1500 software controller runs on the ET200SP open controller, combining the security of a PLC with the flexibility of an industrial PC, according to the vendor.
Technion’s investigation showed that the controller is powered by an Intel Atom CPU and it runs a hypervisor that controls two virtual machines (VMs) with Windows and Adonis Linux, which the vendor calls SWCPU. The Adonis kernel runs the PLC logic and functions.
The SWCPU is encrypted and is decrypted by the hypervisor during the PLC boot process. However, the researchers found that the boot process is not secure, allowing an attacker to read and modify the filesystem, including hypervisor binaries and the encrypted SWCPU. Next, the researchers discovered that the SWCPU can be decrypted using a hardcoded key.
Siemens confirmed to the researchers that it is possible to decrypt the firmware using a hardcoded key. The company has argued that the role of the encryption is to protect its intellectual property.
“Customer installations are not directly impacted by this research. However, Siemens recommends that customers continuously monitor the Siemens security advisories and install latest available patches. Further, Siemens strongly recommends that customers implement the defense-in-depth approach for plant operations and configure their environments according to Siemens’ operational guidelines for Industrial Security,” Siemens told SecurityWeek in an emailed statement.
Learn more about vulnerabilities in industrial systems at
Sara Bitan, researcher at Technion and CEO and co-founder of cybersecurity firm CyCloak, talked to SecurityWeek ahead of the Black Hat conference that took place this week in Las Vegas, where the Technion team disclosed some of its findings. The researcher believes their work is important, as it paves the way for future research, and the firmware hacking in itself could have security implications.
“The plaintext firmware can be reverse engineered. We observed that the firmware includes standard C run time libraries, and various open-source libraries (e.g. openssl). The update frequency of the firmware is low, exposing it to known vulnerabilities. Moreover, we found out — and Siemens confirmed — that the open controller shares 99% of software with S7-1500, i.e. the firmware decryption exposes the whole Simatic S7-1500 product line to attacks exploiting known vulnerabilities,” she explained.
In addition, the research is ongoing and the experts claim to have already identified a way for a malicious actor who takes control of the Windows VM in the S7-1515SP PC2 to persistently replace the Siemens PLC firmware with their own rogue firmware. The full details of this vulnerability have not been disclosed at Black Hat as it’s not part of the initial research. Siemens was recently notified but, based on its response, it has yet to fully assess the issue.
“An attacker gaining local admin permissions on the Windows VM (whether through local or remote exploitation) can modify/replace the file containing the PLC firmware with his own malicious firmware, correctly encoded, and the open controller will automatically run it after reboot,” Bitan explained.
“The attacker can use the malicious firmware to completely take over the PLC, and run his own control program (like what Stuxnet has done). The customer is fully responsible for the Windows machine, including updates, hardening etc. It is designed to be used by engineers as a development environment, and it is the one communicating with the external world (except the field devices). Hence its attack surface is large, and respectively also the probability of malicious takeover by an attacker,” the researcher added.