Rogue7: Rogue Engineering-Station Attacks on S7 Simatic PLCs

Conference:  BlackHat USA 2019



The presentation discusses a rogue engineering station attack on S7-1500 PLCs, which allows an attacker to inject malicious code into the PLCs and gain control over them.
  • The attack system consists of a legitimate TIA version 15 and an attack proxy with two phases: setup and attack.
  • During the setup phase, the attacker programs a blue malicious program and records the flow of messages into a pickup file.
  • During the attack phase, the attacker brings in a rogue engineering station and programs a yellow innocent program, which is intercepted by the malicious proxy.
  • The attacker substitutes the yellow object code with the blue malicious code and applies integrity protection to send it to the PLC.
  • The PLC accepts the malicious code since MOC protection is only applied to the object code and not the source code.
  • The rogue engineering station attack is a more practical method than using a large payload to carry out the attack.
The presenter explains that if the attacker can control the PLC in their lab, they can also control the PLC in the gate of the wall to open it, even though they are not John Snow. They can also control the PLC in Qinglin dean's gate, although they are not Cersei Lannister.


The Siemens industrial control systems architecture consists of Simatic S7 PLCs which communicate with a TIA engineering station and SCADA HMI on one side, and control industrial systems on the other side. The newer versions of the architecture are claimed to be secure against sophisticated attackers, since they use advanced cryptographic primitives and protocols. In this paper we show that even the latest versions of the devices and protocols are still vulnerable. After reverse-engineering the cryptographic protocol, we are able to create a rogue engineering station which can masquerade as the TIA to the PLC and inject any messages favourable to the attacker. As a first example we extend attacks that can remotely start or stop the PLC to the latest S7-1500 PLCs. Our main attack can download control logic of the attacker's choice to a remote PLC. Our strongest attack can separately modify the running code and the source code, which are both downloaded to the PLC. This allows us to modify the control logic of the PLC while retaining the source code the PLC presents to the engineering station. Thus, we can create a situation where the PLC's functionality is different from the control logic visible to the engineer.