1、#BHUSA BlackHatEventsNope,S7ill Not Secure:Stealing Private Keys From S7 PLCsNadav Adir,Eli Biham,Sara Bitan,Alon Dankner,Ron Freudenthal,Or KeretTechnion#BHUSA BlackHatEventsTLS 1.3 Iron clad armorStuxnet#BHUSA BlackHatEventsCyber-Physical Systems PLCs are the core of cyber-physical systems Ensure
2、seamless operation of essential services,including Electricity grids Transportation control systems and more Industry 4.0 transforms CPS Transition from isolated air-gapped systems tocloud-connected environment#BHUSA BlackHatEventsWho are we?Alon DanknerNadav AdirB.Sc.GraduateTechnionSecurity Resear
3、cherTechnionSecurity ResearcherNokod SecurityTechnion Cyber Lab has a plentiful history of exposing vulnerabilities in Siemens PLCs#BHUSA BlackHatEventsThe PLCs Structure and InterfacesPLCControl Program ExecutionS7 ProtocolS7 ProtocolWinCCStep7S7-1500TIA PortalThe AttackerThe OperatorThe Asset Owne
4、rThe EngineerEditionHMI SCADAEngineering Station#BHUSA BlackHatEventsS7CommPlus Protocol S7 is a proprietary protocol Designed to control and monitor the PLCs Examples:program download,PLC configuration,and read/write to PLC variables Uses TLS 1.3 for secure communicationClientPLC#BHUSA BlackHatEven
5、tsThe Evolution of the S7 ProtocolUnencrypted ProtocolSelf-Developed Cryptographic ProtocolStandard Protocol but Improperly ImplementedWe are hereStuxnet(Anonymous)2010Rogue7:Rogue Engineering-Station attacks on S7 Simatic PLCs(Biham et al.)2019The Race to Native Code Execution in PLCs(Keren)2021#BH
6、USA BlackHatEventsResearch Objective Compare the version of S7 protected by TLS to the version protected by the self-developed protocol Is it resilient to attack that the previous version was susceptible to?Is it susceptible to attacks that the previous version was immune to?Threat model:The attacke