A team of researchers at the Technion Israel Institute of Technology demonstrated the ability to breach the security of Siemens’ new controllers at the recent Black Hat USA conference in Las Vegas — a dramatic achievement in the world of cybersecurity.
The Siemens’ new controllers are among the most secure in the world — but Nadav Adir and Alon Dankner, graduates of the Henry and Marilyn Taub Faculty of Computer Science, broke their secure communication protocol.
The research was conducted at the Technion under the guidance of Prof. Eli Biham, head of the Hiroshi Fujiwara Cyber Security Research Center at the Technion, and Dr. Sara Bitan, a senior researcher at the center.
Siemens had updated the communication protocol of the controllers following research presented by the group at the 2019 conference.
These controllers are used in a wide range of systems, including critical systems such as aircraft, vehicles, production lines, power stations, gas and oil pipelines, smart homes, traffic lights, and even nuclear reactors.
Adir and Dankner were invited to the conference, an international prestigious event where the latest relevant knowledge in cybersecurity is presented, precisely for this reason.
The Technion researchers said they hope that the takeover, “which was of course demonstrated on isolated controllers not integrated into essential systems,” will help Siemens improve its security mechanisms.
The Technion research group has previously participated in Black Hat conferences three times, in 2019, 2022, and early 2024.
At the conference in August 2022, the group first demonstrated the cracking and takeover of Siemens’ smart controller; the research findings were then shared with Siemens to improve the product’s security.
“Our series of appearances at Black Hat conferences repeatedly advances the security of these systems, and it is part of long-term research aimed at improving the security of control systems,” Biham explained. “Siemens made changes to its security mechanisms following our research.”
Nevertheless, the Technion team was once again able to breach the security of Siemens’ controllers. The researchers’ attack was carried out on the CPU 1515SP controller software and for the first time took control of the software common to all controllers in the series.
“The successful attack in 2022 exposed potential weaknesses in this controller and other controllers in the series and reinforced the need to enhance security measures on such controllers,” Bitan commented.
Siemens controllers are found at various critical junctions, including nuclear reactors. It was a breach of Siemens controllers via the Stuxnet computer worm led to significant damage to the reactors in Natanz, Iran, an issue that made headlines about 15 years ago. Stuxnet is considered one of the most destructive malwares, as it allows not only damage to controllers but also the concealment of that damage.
“The damage is done both on the way to the controller, thereby impairing its function, and on the way out, creating a false appearance to the monitoring systems as if everything is fine,” Bitan said.
“Siemens made changes to the controllers’ security protocol, but we were able to identify a loophole that allows an attacker to disrupt secure communication with the controller, enabling us to both influence its operation and conceal the damage externally.”
The modern world of encryption is entirely based on the use of a pair of keys mathematically related to each other: a public key for encryption and a private key for decryption. The private key is supposed to be kept in a “safe,” in Siemens’ case, in a secure area within the controller. The Technion researchers managed to penetrate this secure area and extract the private key, thereby gaining control over both inbound and outbound communications.
In recent years, Siemens has tightened security on these controllers through version updates. Last August, the company published an article stating that “successful digitization always requires extensive cybersecurity. Although such security is always an integral part of modern controllers, it is important to remember that Siemens offers a wide range of products and services designed to enhance cybersecurity.”
Despite the company’s promises and efforts, the Technion group managed to take control of the software in these updated controllers.
