M.Sc Thesis

M.Sc StudentDankner Alon
SubjectAttacking and Securing ICS Protocols
DepartmentDepartment of Computer Science
Supervisors PROF. Eli Biham
DR. Sara Bitan


Industrial Control Systems (ICS), also known as Operation Technology (OT) systems, are distributed computerized systems designed to manage, monitor, and control industrial processes. They are widely used in critical infrastructures, such as power plants and water supply facilities, whose continuous and correct operation is of major importance to modern life.

Traditionally, ICS were deployed in isolated networks, disconnected from the Internet, thus, they were perceived protected and secure from external attackers. The well-known Stuxnet malware, which successfully attacked isolated OT systems, proved otherwise, and triggered major investments in OT security. As a result, Siemens, the vendor whose ICS was Stuxnet's target, was the first to introduce cryptographic protection to its ICS protocols. This thesis is focused the Siemens ICS system, and in particular on the security of its cryptographic protocols. Siemens ICS consists of SIMATIC S7 PLCs, TIA engineering stations, SCADA HMIs, and industrial equipment.

In this research, we make two complementary contributions. On the offensive side, we present a rogue engineering station that masquerades as the TIA to the S7 PLC and sends to the PLC any messages favourable to the attacker. In our attack we demonstrate a download of a control logic of the attacker's choice to a remote PLC. This attack is especially powerful since it can modify the control logic of the PLC while retaining the source code that the PLC presents to the engineering station during upload. This attack may therefore be used to deceive the ICS engineers to believe that the PLC performs the intended operation while in practice it is controlled by the attacker.

We also present new vulnerabilities and novel attacks against two common password-based mechanisms used by the Siemens SIMATIC systems: know-how protection and CPU access protection. In one of the attacks, we manage to deceive a PLC to believe that the attacker is the legitimate user (that has the password), while he actually intercepts a legitimate session between a legitimate TIA to another PLC that uses the same password.

On the defensive side, we propose a new secure ICS protocol, to which we call K7. We propose a novel security model for industrial control systems that supports organizational level authorization and authentication requirements, while hiding the low-level details (e.g., keys and passwords) from the users. It also allows to easily add and remove PLCs, engineering stations, HMI devices and users, and assign permissions to them. The core of the model is the K7 protocol. Moreover, we present the concept of device augmentation that uses protocol converters to provide the full protection of K7 to legacy ICS devices, while being also able to communicate with new devices that natively support K7. A major advantage of the K7 ecosystem is the simple ability to gradually upgrade the security of the system, from a system that uses the legacy protocol, through an heterogeneous system that mixes legacy devices, augmented devices, and new devices that natively support K7, into a secure system that runs K7 only. We implemented K7 using protocol converters.