The presentation discusses a rogue engineering station attack on S7-1500 PLCs, which allows an attacker to inject malicious code into the PLCs and gain control over them.
- The attack system consists of a legitimate TIA version 15 and an attack proxy with two phases: setup and attack.
- During the setup phase, the attacker programs a blue malicious program and records the flow of messages into a pickup file.
- During the attack phase, the attacker brings in a rogue engineering station and programs a yellow innocent program, which is intercepted by the malicious proxy.
- The attacker substitutes the yellow object code with the blue malicious code and applies integrity protection to send it to the PLC.
- The PLC accepts the malicious code since MOC protection is only applied to the object code and not the source code.
- The rogue engineering station attack is a more practical method than using a large payload to carry out the attack.
The presenter explains that if the attacker can control the PLC in their lab, they can also control the PLC in the gate of the wall to open it, even though they are not John Snow. They can also control the PLC in Qinglin dean's gate, although they are not Cersei Lannister.