Used in many aspects of everyday life, programmable logic controllers (PLCs) control systems such as transportation services, factories, power stations, smart buildings, traffic lights, and more. Since such systems control automatic responses to changing environmental stimuli within frequently encountered structures, preventing them from being hacked into by those with nefarious intentions is of the utmost importance.

Siemens, a multinational industrial manufacturer, is known across the industry to have the top security measures in place for their controller firmware systems. But a team of researchers from the Technion’s Henry and Marilyn Taub Faculty of Computer Science recently found a way to hack into one of Siemens’ PLC firmware systems. Through their hack, which was done with the intention of learning, the team was able to identify vulnerabilities in the way the system was being protected. They forwarded their findings to Siemens so the company can update its security measures, and better protect these controllers against future attacks.

The Technion researchers decrypted the ET200 SP Open Controller, CPU 1515sp, of Siemens’ Simatic S7 series. This particular firmware represents a new concept in controller planning that is based on the integration of a standard operating system. The S7 PLC series is meant to be especially innovative and secure due to built-in cryptographic mechanisms, so the researchers’ successful hack highlights the need for even tighter security measures.

The researchers were able to study the software’s characteristics first-hand, which will allow them to find existing gaps in the S7s and other PLCs in the series’ defense mechanisms.

The project was led by Professor Eli Biham, head of the Technion Hiroshi Fujiwara Cyber Security Research Center, and Dr. Sara Bitan along with master’s students Maxim Barsky, Alon Dankner, and Idan Raz. Dr. Bitan and Alon Dankner presented their findings at the prestigious Black Hat Hacker Convention in Las Vegas on August 10.