Siemens SIMATIC PLCs are widely used worldwide and are used in control scenarios for critical information infrastructure, such as energy, water, power, oil and gas, and manufacturing. To protect user's applications and to prevent unauthorized operation, Siemens has designed the PLC protection mechanism. This function effectively prevents attacks from the network, and also protects application programs designed for specific processes, critical equipment PID parameters, etc. but can it really protect your PLC perfectly from attacks or theft of intellectual property (algorithms, engineering designs)?
This session will focus on the SIMATIC S7 PLCs, starting from the S7-200 up to the S7-1200/1500, and disclose in detail design flaws in the protection mechanisms of each series PLCstake these flaws as a point of attack and look for methods to bypass the protection policies,Final capture of the protected PLC application programs - the core intellectual property. Of course, bypassing the protection mechanism also allows various sensitive operations to be performed, for example, an attacker can control the irregular start and stop of the device, causing a series of chain reactions and leading to safety incidents.
This presentation will cover:
- How to bypass the S7-200 security mechanism by using hardware disassembling and soldering, modifying flash content, and creating rogue clients;
- Disclosing the S7-200 SMART PLC password protection encryption algorithm, and capturing key information from traffic to crack the protection mechanism.
- How to find mysterious information in S7-300 project files and use the mysterious information to bypass security mechanisms.
- Crafting a dump memory tool based on the Windows platform, Searching for password information from the memory in dump