Exploiting Siemens Simatic S7 PLCs

Dillon Beresford (right), a security researcher at NSS Labs, has already courted controversy with this topic. The talk was originally scheduled for the TakeDownCon security conference in May but was withdrawn after some bigwigs (including the Department of Homeland Security) got nervous about the pre-patch disclosure ramifications.

At Black Hat, Beresford is promising to cover newly discovered Siemens Simatic S7-1200 PLC vulnerabilities and to demonstrate how an attacker could impersonate the Siemens Step 7 PLC communication protocol using some PROFINET-FU over ISO-TSAP and take control.

Beresford is a brand-name security researcher in the SCADA world. Earlier this year, he developed an exploit for one of the most popular high performance production SCADA/HMI software applications in China which is widely used in power, water conservancy, coal mine, environmental protection, defense and aerospace.

Because security holes in Siemens’ PLCs played a key role in the success of the mysterious Stuxnet worm, Beresfords’s Black Hat disclosures is sure to raise eyebrows.