Text size
  • Small
  • Medium
  • Large
  • Standard
  • Blue text on blue
  • High contrast (Yellow text on black)
  • Blue text on beige

    Investigating Current PLC Security Issues Regarding Siemens S7 Communications and TIA Portal

    5th International Symposium for ICS & SCADA Cyber Security Research 2018 (ICS-CSR 2018)

    29 - 30 August 2018, University of Hamburg, Germany.


    Henry Hui & Kieran McLaughlin



    Programmable Logic Controllers (PLCs) are the essential components in many Industrial Control Systems that control physical processes. However, in recent years the security flaws of these devices have come under scrutiny, particularly since the widely discussed Stuxnet attack. To help the industry state-of-the-art to move forward and to provide information required to improve the security for these controllers, this work investigates potential exploits of the Siemens S7-1211C controllers and the Totally Integrated Automation (TIA) engineering software. Using Windbg and Scapy, the anti-replay mechanism of the Siemens proprietary communication protocol, S7CommPlus, and the Profinet Discovery and Basic Configuration Protocol are found to be vulnerable. Attacks like session stealing, phantom PLC, cross connecting controllers and denial of S7 connections are demonstrated. The lack of authentication and consequent exploitation of the S7-ACK packet, an application layer packet for the S7CommPlus protocol, is highlighted as a key issue in this investigation.


    PDF file PDF Version of this Paper 449(kb)