Skip to content

Siemens S7 PROFINET – A Shocking Network Architecture Flaw

A Shocking Flaw

Here’s an all too often overlooked item in the security architecture of industrial networks.

Below is a diagram of an industrial network architecture we’ve seen in a number of places.

In the diagram, a PLC with multiple network interfaces, in this case a PROFINET-enabled Siemens S7-300 or a S7-1500, is used to connect to the SCADA network on one side, and on the other side – to the I/O network.

Let’s imagine the following scenario:

  1. An attacker has gained access to a host in the SCADA network (10.0.0.x).
  2. The attacker wants to directly attack the I/O devices at 192.168.0.x, in order to sabotage the industrial process.

The question is: What should the attacker do in order to reach the I/O devices?

Think about it, then scroll down to see the answer.

Here’s the diagram of the industrial network architecture:

If you answered “nothing”, that’s the correct answer.

The S7-300, S7-1500 and other controllers with multiple network interfaces are sometimes used to “separate” the SCADA and I/O networks.

However, there is no such separation. If you use this feature, from the perspective of the SCADA network, there’s full L2+ access to the I/O network, and vice-versa.

The PROFINET interface on the S7-1500 (for example, the S7-1511 PN model) is a network switch, allowing anyone from the SCADA network full access to the I/O network, and vice versa.

From the perspective of the attacker, the network is completely flat.

As documented in the manual entry for the S7-1500 PROFINET-enabled CPU:

Source: Siemens, S7-1500 CPU 1511-PN Manual

And as documented in the manual entry for the S7-300 PROFINET-enabled CPU:

Source: Siemens, S7-300 CPU 319-3 PN/DP Manual

How Cyber Attackers Manipulate this Flaw

All an attacker has to do in order to access the I/O network directly, is to take a device in the SCADA network, add an IP address in the I/O network and then communicate with the field devices (in the I/O network) over any protocol they choose (Ethernet, IP, TCP, UDP, ICMP, etc).

This means that for example, if you have PROFINET I/O modules running on the I/O network, they’re accessible from ANY IP on the SCADA network, both by L2 (direct Ethernet) and by L3 (IP).

If you use this topology and you trust the I/O network to be separate from the OT network, this is a major flaw in your architecture.

How to Check if your I/O Field Network is Accessible From your SCADA Network

  1. Perform the test during maintenance windows or in production with caution. Contact SCADAfence support if you need help.
  2. Find out what is the IP range for your I/O network / fieldbus.
  3. Select an IP address that’s not in use, in the I/O network range.
  4. Change the IP of a test machine in the SCADA network using the following command:
netsh int ipv4 add address "Local Area Connection" 192.168.0.253 255.255.255.0
  1. Then, ping an I/O controller, a sensor, a PLC, or any other IP that answers pings in the I/O network. If you got a response back, your I/O network is flat together with your SCADA network.

How to Discover These Vulnerabilities Automatically

This flawed design has been discovered by the SCADAfence Platform: The platform has been used to monitor both the SCADA and I/O networks of a certain industrial facility. Although the I/O network was supposed to be segmented from the SCADA network, in the sensor installed in the SCADA network, the SCADAfence security teams have seen broadcasts originating from the I/O network. When the SCADAfence security teams inspected the topology further, they discovered that in contradiction with what the system integrator and OT team believed – the networks were connected and were completely flat.

How Many Networks are Separating Between I/O and SCADA Using A Network Switch?

For the purpose of this research, it was a network misconfiguration that the SCADAfence platform helped uncover. Nonetheless, this question is very important for OT & IoT network security.

This network architecture flaw is a very clear example of how network packet analysis is a fundamental technology for the security of OT and IoT networks.

If you want to try out the SCADAfence Platform and uncover all of the vulnerabilities in your OT network, we will be glad to help you. Book your free demo here: https://l.scadafence.com/schedule-a-demo-scadafence

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.

LGPD: How to comply with the 10 privacy principles

After two years of waiting, the general data protection law (LGPD) will finally come into force in Brazil. The law aims to regulate the processing of personal data, mainly ensuring the security, transparency, and integrity of the data provided.

Since its announcement, it has been widely discussed among companies how to adapt to the rules established by law, as the impact on data processing is enormous for companies to create their communication strategies and protect personal data effectively.

Companies that have not yet adapted to the LGPD are subject to fines of R$ 50 million, which would bring huge losses to any company.

If you have not adjusted yours yet and want to catch up with the damage as soon as possible, we have this article to show you the 10 privacy principles for you to comply with the LGPD, check them out:

Learn More: 7 important details between the LGPD (Brazilian) and the GDPR (European)

10 Privacy Principles

Before you put measures in place to regulate your company, it is important to know the 10 privacy principles that LGPD requires from companies, which are:

  1. Purpose limitation principle: inform the purpose of collecting data from the user.
  2. Adequacy principle: the data will have to be processed in a way that makes sense with the purpose that was informed to the holder.
  3. Necessity principle: request only the information necessary for the fulfillment of its purpose.
  4. Free access principle: give assurance to the personal data holder that they can know the form and duration for which their data will be used.
  5. Quality of data principle: the company will be responsible for the quality of provided.
  6. Transparency principle: the user must receive a notice with a detailed list of how their personal data can be used.
  7. Security principle: a company must have a means to ensure that only authorized people have access to such data.
  8. Prevention principle: data cannot be shared with other companies or people not authorized to process it.
  9. Non-discrimination principle: data cannot be used for illegal purposes.
  10. Accountability principle: it is necessary to have the term that ensures the 10 principles are being followed.

How to Ensure that the 10 Principles are Followed

To ensure the integrity of personal data, your information security team must contribute a lot, since fully protecting personal data is required for the company to have efficient privileged access control.

One that allows only authorized people to access the information and ensures the security from any internal or external threat, in addition to recording all types of actions taken on personal data.

A good way to solve this effectively is by hiring a PAM solution. A good PAM solution manages all the points you need to pay attention to, ensures internal and external security, and even records all actions performed within the databases. If you are curious to know how a PAM solution works, fill out the form below and request the demo.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Segura®
Segura® strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

ESET R&D to launch Cyber Security Academy with the European Migration Agency and the Technical University of Moldova

Bratislava, Iasi – The ESET R&D center in Iasi, Romania, is working with the European Migration Agency (EMA) and the Technical University of Moldova (TUM) in the capital, Chisinau, to launch a new Cyber Security Academy.  The project is currently slated to last for one year (starting in August 2020), after which the most successful graduating students will be offered professional internships at ESET. Another area of the new program’s focus is on talented young women and their futures in information technology.

The European Migration Agency, in cooperation with ESET and the Technical University of Moldova, will renovate and equip a new IT Laboratory, which will subsequently serve as the basis for the new Cyber Security Academy. TUM ranks among the country’s leading universities in terms of cooperation with the private sector.

Along with the creation of the Academy, the project also aims to focus on young women in IT. ESET is co-financing the project with a local Moldovan NGO TEKEDU. The GirlsGoIT program and TEKEDU will support the transition of young women into the ICT sector and organize workshops in science, technology, engineering and mathematics.

The whole project is co-financed via official development aid by the Slovak Republic, SlovakAid.

“Iasi, where this ESET R&D center is located, used to be for 300 years the historical capital of Moldova and later of Romania; thus, we could not be at a more symbolic nor closer place for both countries. We are very much looking forward to supporting the young IT & cybersec talent from Moldova as part of the freshly launched Academy project, and are looking forward to working with and helping them as professional interns at ESET,” says Andrei Ciubotaru, Managing Director of the Iasi R&D center and Head of Endpoint Security at ESET. “Moreover, we are happy to financially support part of the project focusing on encouraging young and talented women to consider the IT sector as their future workplace,” he adds.

According to EMA, “The main challenge the sector is facing is the lack of skilled workforce, which is compounded by a massive brain drain from Moldova. This creates the opportunity to attract more women into the Moldovan Information and Communication Technologies (ICT) sector, as their representation remains relatively low.” Moreover, the Moldovan ICT sector also faces the challenge of ensuring interconnection of national educational processes with the corporate sector, in order to align with the ever-changing requirements of the labor market.”

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.