Abstract
The first cyberattack on an Industrial Control System (ICS), also known as Stuxnet, oc-curred around 2007 and targeted the Iranian uranium enrichment plant in Natanz. Its goal was not to destroy the centrifuges on site but to let them fail, to delay Iran’s nuclear program. Other cyberattacks on ICSs followed, like the attacks on the Ukrainian power grid in 2015 and 2016, affecting the lives of approximately 230,000 people.Attacks on industrial factories are not as well known as ransomware attacks like WannaCry and LockBit or DDoS attacks on banks, making debit card payments virtually impossible. When the safety controller of a chemical factory is targeted, and all safety measures are bypassed, as happened in 2017 with the TRITON attack, the consequences of a failure have a completely different dimension.
The main controller in an ICS is called a Programmable Logic Controller (PLC), a robust and reliable embedded controller. It contains the software that controls one or more machines in a factory or plant and is connected to a network to connect it indirectly to the Internet. To communicate with other PLCs, manufacturers developed different protocols. Some of these protocols are proprietary, meaning only equipment from that manufacturer can use the protocol. For example, with a market share of 30 per cent, Siemens has its proprietary protocol called S7 Communication Protocol, which is used to communicate between PLCs and the programming software for loading programs into the PLC.
The previously mentioned attacks show that even PLCs are vulnerable. Researcher Maik Brüggeman has developed a worm that only lives in a PLC and can infect other PLCs without the user noticing its malicious PLC code.
Fuzzing or fuzz testing is a widely adopted method for testing network protocols. This method allows for detecting security vulnerabilities in the protocol’s implementation. By sending malformed input to a program and observing its execution or response, unwanted and unexpected behaviour can be discovered. This unpredictable behaviour often leads to security exploits in the software.
In this thesis, we present SimaticFuzz, our fuzzer for the Siemens Simatic S7 Commu-nication Plus protocol. With SimaticFuzz, we found a vulnerability in the S7CommPlus protocol in an S7-1511F PLC, which caused a Denial of Service (DoS), and the PLC stopped executing its program. The vulnerability was reported to Siemens, and a CVE (CVE-2023-46156) was issued.
Date of Award | 4 Mar 2024 |
---|---|
Original language | English |
Supervisor | Harald Vranken (Examiner) & Fabian van den Broek (Co-assessor) |
Master's Degree
- Master Software Engineering