The Siemens industrial control systems architecture consists of Simatic S7 PLCs which communicate with a TIA engineering station and SCADA HMI on one side.In this paper we show that even the latest versions of the devices and protocols are still vulnerable.
Siemens communications overview
S7comms, or Step 7 communications, is a Siemens protocol implemented on an ISO protocol that is not open and has very tight controls.
The Simatic line of products includes the “Totally Integrated Automation Portal” (TIA), which functions as the engineering station, and can also function as an HMI. The TIA (or HMI) and the PLCs communicate over the S7 network protocol.
The most recent versions of the S7 protocol include cryptographic mechanisms to protect the communication — and most importantly, a cryptographic message integrity code, whose goal is to protect the communication from adversarial manipulation.
S7 Protocol S7 Protocol, is the backbone of the Siemens communications, its Ethernet implementation relies on ISO TCP (RFC1006) which, by design, is block oriented. Each block is named PDU (Protocol Data Unit), its maximum length depends on the CP and is negotiated during the connection.
S7 Protocol is Function oriented or Command oriented, i.e. each transmission contains a command or a reply to it.
If the size of a command doesn't fit in a PDU, then it must be split across more subsequent PDU.
Each command consists of
· A header.
· A set of parameters.
· A parameters data.
· A data block.
The first two elements are always present, the other are optional.
S7 Protocol, ISO TCP and TCP/IP follow the well-known encapsulation rule
S7 Commands are divided into categories:
Ø Data Read/Write
Ø Cyclic Data Read/Write
Ø Directory info
Ø System Info
Ø Blocks move
Ø PLC Control
Ø Date and Time
Ø Security
Ø Programming
The Partners can exchange unsolicited data, i.e. once the connection is established, both can send data to the other partner. his kind of communication often is named Client-Client by Siemens in their manuals.
The peer that requests the connection is named Active Partner, the peer that accepts the connection is named Passive partner.
The communication is performed via FB12/FB13 (S7300) or SFB12/SFB13 (S7400), their symbolic names are BSend/BRecv (Block Send / Block Recv).
An important remark is that : when PLC A calls BSend, BRecv must being call in PLC B in the same time, to complete the transaction.
Siemens data format
The PC internal data format is LITTLE -Endian
DWORD 0x2F11214C is stored into the PC
The Siemens theatre
In the Siemens communication theatre there are three actors:
1. The Client
2. The Server
3. The Partner (a.k.a. the peer in the classic computer dictionary).
And as in all good theatre companies, they follow their script:
o The client can only query.
o The server can only reply.
o The partners can speak both on their own initiative.
All three components on the left are Clients, they connect to the internal server of the Communication Processor (CP), and make an S7 Request.
The server replies with a S7 answer telegram.
No configuration is needed server side. The server service is automatically handled by the firmware of the CP.
The CP can be external such as CP343/CP443 or internal in 3XX-PN or 4XX-PN CPUs, they, however, work in the same way.
Two different protocol flavours are implemented by Simatic S7 products:
The older Simatic S7 PLCs implement an S7 flavor that is identified by the protocol number 0x32 (S7comm),
while the new generation PLCs implement an S7 flavor that is identified by the protocol number 0x72 (S7CommPlus
All the operations ( start/stop , download , read /write) are translated by the TIA software to S7 messages, that are transmitted to the PLC. The PLC acts upon the messages it receives, performs the operations, and responds.
The S7 cryptographic protection
The message cryptographic protection mechanism consist of the following modules:
A key exchange protocol, that the two parties (PLC and TIA) use to establish a secret shared key, which we call the session key.
A message integrity protection algorithm, that calculates a MAC (Message Authentication Code) value, based on the session key and the message bytes.
A payload encryption algorithm.
Message integrity mechanisms and the key exchange
protocols used by various TIA and S7 PLC firmware versions.
the messages that the TIA and S7-1500 PLCs exchange are integrity
protected by a message authentication code. It is calculated under a (symmetric) secret key,
which we denote by session Key, shared between the PLC and the TIA
Siemens communications VULNERABILITIES 
As the implementations of HMAC-SHA256 used by the TIA is one in which finalize modifies the context though it does not add any fragment, all digests but the first one are not valid HMAC-SHA256 digests. Moreover, the security proofs of HMAC do not hold for this incremental variant of HMAC. In fact, this incremental variant is less secure than HMACSHA256
S7 integrity protection in protocol P3
Vulnerability CVE-2019-10929
An attacker in a Man-in-the-Middle position could potentially modify network traffic exchanged on port
102/tcp to PLCs of the SIMATIC S7-1200, SIMATIC S7-1500 and SIMATIC Software Controller CPU
families, due to certain properties in the calculation used for integrity protection.
In order to exploit the vulnerability, an attacker must be able to perform a Man-in-the-Middle attack.
The vulnerability could impact the integrity of the communication.
The P2 protocol uses a simplistic key synchronization scheme, which is equivalent to usage of a list fixed keys in a sequence. During each new handshake the next key is calculated by both parties.
The same sequence of keys is used each time a TIA is restarted, regardless of whether it is the same TIA instance or another instance.
In the P3 protocol, Siemens replaced the simplistic P2 key generation process by a more sophisticated challenge-response protocol, that involves elliptic-curve public-key cryptography for the key exchange.
The P3 key exchange uses one-way group authentication. A PLC of a given model and
firmware version has the necessary private key and is able to successfully decrypt the
KDK, and derive the Session Key.
Siemens communications attacks 
