sOfT7: Revealing the Secrets of Siemens S7 PLCs

The programmable logic controller (PLC) is a reliable hardware device implementing complex monitoring and control logic for industrial control systems. The pursuit of new advanced features has driven the ICS vendors to come up with new-generation PLCs, that contain a whole standard OS environment (e.g., Windows or Linux). They are commonly known as PC-based PLCs or SoftPLCs. Siemens' SoftPLC is called ET 200SP and unlike common PLCs (that typically use customized processors), it contains a standard Intel Atom CPU. The PLC runs a hypervisor that controls two VMs: Windows and Adonis Linux, which Siemens calls SWCPU. The Adonis kernel runs the programmable control logic and functions as a software PLC. The SWCPU is encrypted (in the PLC storage) and it is decrypted by the hypervisor during the boot process of the PLC.Since the boot process of the ET 200SP is not secure, an attacker can boot his choice of an OS and read the full filesystem, including the binary of the hypervisor, the encrypted SWCPU, and the GRUB configuration files. Surprisingly, this filesystem is also accessible from the Windows VM. We located the code in the hypervisor that decrypts the SWCPU and ran it in a standard Linux environment using Intel Pin. We managed to extract the plaintext SWCPU, which was kept secret for years, ever since Siemens, like other vendors, started encrypting their firmware before the release. Our success indicates that the decryption key is hardcode.Our initial research shows evidence that the SWCPU contains codebase used by other Siemens S7 PLCs (e.g., Siemens' Adonis kernel). Thus, it can be used for vulnerability research, throughout the full Siemens S7 product-line. Our conclusion is that Siemens invested efforts in protecting the secrecy of the S7 PLC codebase but failed to adapt their security mechanisms to the new standard environment.