Skip to content

Siemens S7 PROFINET – A Shocking Network Architecture Flaw

A Shocking Flaw

Here’s an all too often overlooked item in the security architecture of industrial networks.

Below is a diagram of an industrial network architecture we’ve seen in a number of places.

In the diagram, a PLC with multiple network interfaces, in this case a PROFINET-enabled Siemens S7-300 or a S7-1500, is used to connect to the SCADA network on one side, and on the other side – to the I/O network.

Let’s imagine the following scenario:

  1. An attacker has gained access to a host in the SCADA network (10.0.0.x).
  2. The attacker wants to directly attack the I/O devices at 192.168.0.x, in order to sabotage the industrial process.

The question is: What should the attacker do in order to reach the I/O devices?

Think about it, then scroll down to see the answer.

Here’s the diagram of the industrial network architecture:

If you answered “nothing”, that’s the correct answer.

The S7-300, S7-1500 and other controllers with multiple network interfaces are sometimes used to “separate” the SCADA and I/O networks.

However, there is no such separation. If you use this feature, from the perspective of the SCADA network, there’s full L2+ access to the I/O network, and vice-versa.

The PROFINET interface on the S7-1500 (for example, the S7-1511 PN model) is a network switch, allowing anyone from the SCADA network full access to the I/O network, and vice versa.

From the perspective of the attacker, the network is completely flat.

As documented in the manual entry for the S7-1500 PROFINET-enabled CPU:

Source: Siemens, S7-1500 CPU 1511-PN Manual

And as documented in the manual entry for the S7-300 PROFINET-enabled CPU:

Source: Siemens, S7-300 CPU 319-3 PN/DP Manual

How Cyber Attackers Manipulate this Flaw

All an attacker has to do in order to access the I/O network directly, is to take a device in the SCADA network, add an IP address in the I/O network and then communicate with the field devices (in the I/O network) over any protocol they choose (Ethernet, IP, TCP, UDP, ICMP, etc).

This means that for example, if you have PROFINET I/O modules running on the I/O network, they’re accessible from ANY IP on the SCADA network, both by L2 (direct Ethernet) and by L3 (IP).

If you use this topology and you trust the I/O network to be separate from the OT network, this is a major flaw in your architecture.

How to Check if your I/O Field Network is Accessible From your SCADA Network

  1. Perform the test during maintenance windows or in production with caution. Contact SCADAfence support if you need help.
  2. Find out what is the IP range for your I/O network / fieldbus.
  3. Select an IP address that’s not in use, in the I/O network range.
  4. Change the IP of a test machine in the SCADA network using the following command:
netsh int ipv4 add address "Local Area Connection"
  1. Then, ping an I/O controller, a sensor, a PLC, or any other IP that answers pings in the I/O network. If you got a response back, your I/O network is flat together with your SCADA network.

How to Discover These Vulnerabilities Automatically

This flawed design has been discovered by the SCADAfence Platform: The platform has been used to monitor both the SCADA and I/O networks of a certain industrial facility. Although the I/O network was supposed to be segmented from the SCADA network, in the sensor installed in the SCADA network, the SCADAfence security teams have seen broadcasts originating from the I/O network. When the SCADAfence security teams inspected the topology further, they discovered that in contradiction with what the system integrator and OT team believed – the networks were connected and were completely flat.

How Many Networks are Separating Between I/O and SCADA Using A Network Switch?

For the purpose of this research, it was a network misconfiguration that the SCADAfence platform helped uncover. Nonetheless, this question is very important for OT & IoT network security.

This network architecture flaw is a very clear example of how network packet analysis is a fundamental technology for the security of OT and IoT networks.

If you want to try out the SCADAfence Platform and uncover all of the vulnerabilities in your OT network, we will be glad to help you. Book your free demo here:

CyberLink’s facial recognition engine FaceMe® to power LILIN’s connected devices, providing businesses with contactless access control management and visitor analytics

TAIPEI, TAIWAN – July 28 2020 – CyberLink Corp. (5203.TW), a pioneer in AI and facial recognition technologies, today announced it has formed a partnership with surveillance solution provider LILIN, leveraging new facial recognition technologies to create comprehensive smart security and retail solutions. CyberLink will license its FaceMe® facial recognition engine to LILIN, powering its NAV Facial Recognition Recorder, creating an all-in-one smart security, data analysis and warning solution.

With the combined technologies, LILIN’s connected video devices can provide businesses with a series of contactless solutions, such as granting verified personnel access to restricted areas within offices, factories or residential buildings through an opt-in photo identification system. The new offering can also provide retailers and hospitality operators with anonymized customer demographics to better understand their customer experience, such as identifying trending emotions patrons may feel when engaged in specific activities or visiting certain areas of a venue.

As the coronavirus pandemic continues to develop across the globe, CyberLink’s and LILIN’s joint facial recognition system uniquely provides businesses seeking contactless solutions the underlying technology to reduce the need for people to touch highly shared surfaces by replacing key cards or PIN passwords with biometric data.

“If there was ever a field worthy of continued research and innovation, it’s security,” said Dr. Jau Huang, CEO of CyberLink. “Without a doubt, LILIN is a global leader and manufacturer of IoT devices, and CyberLink is a worldwide pioneer developing facial recognition applications for connected devices. Together, we are setting a new standard for what makes a place secure by bringing to market new technologies that make our customers safer, and our businesses smarter.”

“LILIN has many years of smart security experience, providing insight into the market’s needs for creating a comprehensive intelligent security solution. LILIN is pleased to partner with CyberLink and integrates FaceMe® into our facial recognition system to strengthen smart retail, smart healthcare, smart factory, and smart business applications. Through continued efforts, I believe that LILIN will provide the most advanced total security solution for global customers.” said Mr. C.C. Hsu, LILIN’s President.

CyberLink and LILIN will host a webinar titled “Facial Recognition x Smart Security

Empowering Smart AIoT Applications”” on August 13, 2020 from 14:00-15:00 (GMT+8/Taipei time), further describing the many use cases enabled through the new product offering. For detailed event information and a registration link, please visit:

FaceMe’s® edge-based architecture empowers powerful, efficient processing, and higher levels of security compared to Cloud-based solutions. It supports more than 10 operating systems, including Windows, Android, iOS, and various Linux distributions such as Ubuntu x86, Ubuntu ARM, RedHat, CentOS, Yocto, Debian and JetPack. FaceMe’s® high accuracy, flexibility and security makes it the leading facial recognition engine available on the market today, and it is one of the world’s most accurate engines as deemed by the global standard NIST Facial Recognition Vendor Test.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About CyberLink
Founded in 1996, CyberLink Corp. (5203.TW) is the world leader in multimedia software and AI facial recognition technology. CyberLink addresses the demands of consumer, commercial and education markets through a wide range of solutions, covering digital content creation, multimedia playback, video conferencing, live casting, mobile applications and AI facial recognition.  CyberLink has shipped several hundred million copies of its multimedia software and apps, including the award-winning PowerDirector, PhotoDirector, and PowerDVD.  With years of research in the fields of artificial intelligence and facial recognition, CyberLink has developed the FaceMe® Facial Recognition Engine. Powered by deep learning algorithms, FaceMe® delivers the reliable, high-precision, and real-time facial recognition that is critical to AIoT applications such as smart retail, smart security, and surveillance, smart city and smart home. For more information about CyberLink, please visit the official website at