Vulnerability Analysis of S7 PLCs: Manipulating the Security Mechanism

Research output: Contribution to journalArticlepeer-review

17 Citations (Scopus)
763 Downloads (Pure)


Programmable Logic Controllers (PLCs) are the point of interaction between the cyber and physical world, and thus have been the target of previous cyber-attacks that caused physical disruption. To understand the effectiveness of state-of-the-art security mechanisms built into these devices, this paper presents an in-depth analysis performed on the Siemens PLC environment, particularly the communication protocol known as S7CommPlus. This protocol enables communication between Siemens endpoints such as TIA Portal (the engineering software from the vendor), and PLCs like the S7-1211C, which has been used for experiments in the work. The analysis utilises the tools WinDbg and Scapy. The anti-replay mechanism, used in the protocol is investigated, including the identification of specific bytes necessary to craft valid network packets. Novel exploits, including the manipulation of cryptographic keys, are identified based on experimental analysis. Subsequently, exploits are demonstrated that enable the stealing of an existing communication session, denying the ability of an engineer to configure a PLC, making unauthorised changes to PLC states, and other potential violations of integrity and availability. The problems that lead to these exploits are also discussed and a number of potential mitigation strategies are proposed.
Original languageEnglish
Article number100470
JournalInternational Journal of Critical Infrastructure Protection
Early online date22 Sept 2021
Publication statusPublished - Dec 2021


Dive into the research topics of 'Vulnerability Analysis of S7 PLCs: Manipulating the Security Mechanism'. Together they form a unique fingerprint.

Cite this