Claroty Detecting Rogue Attacks Against S7 Simatic PLCs

Our partners Claroty have been swift to respond to a weakness recently discovered in Siemens S7 PLCs used to run industrial processes.

The vulnerability, displayed at Blackhat on 8 August this year, was discovered by security researchers and allowed them to bypass the cryptographic mechanism in the newest generation of Siemens PLCs and perform engineering commands on the device.

This capability allows an attacker to change the state of the PLC, its configuration, and most importantly - change the logic it executes without any indication to the engineer.

The researchers were able to take control from the PLC by secretly downloading rogue command logic to the S7 PLC. They hid the rogue code so that a process engineer could not see it: If an engineer was to check the code, they would only see the legitimate PLC source code, unaware of the malicious code running in the background and issuing rogue commands to the PLC.

Claroty's response

Claroty have confirmed that their Continuous Threat Detection (CTD) will detect these changes and provide a comparison of code, thus exposing this threat. Even though the code is encrypted, any legitimate configuration change also involves a change in the clear-text code and the configuration meta-data.

Based on CTD’s in-depth knowledge of the S7CommPlus protocol and the Siemens configuration download flow, CTD code analysis is able to verify a configuration change and validate that both the binary and clear-text parts were changed coherently.

In the cases of a malicious change, such as the attack described that only changed the binary code, CTD can specifically detect that the configuration was changed in a suspicious way.

If you have any concerns about the vulnerability of your industrial control systems or PLCs why not get in touch with us to hear more about how Claroty can help you.

Arrange a Claroty demo