Researcher Will Demo Crippling Siemens Attack Using Metasploit

For years, there’s been an argument that the sophistication of industrial control systems is enough to keep script kiddies – or low-skilled hackers – away. Well, so much for that. 

SiemensFor years, there’s been an argument that the sophistication of industrial control systems is enough to keep script kiddies – or low-skilled hackers – away. Well, so much for that. 

Researcher Ralph Langer says that he will use a presentation at an upcoming security conference in Washington D.C. to demonstrate a crippling attack on Siemens S7 (Step 7) Programmable Logic Controllers using the free Metasploit penetration testing tool. 

Writing on his blog, Langner said that the attack he will demonstrate will be similar to one he outlined in July – a generic attack against Siemens S7 Programmable Logic Controllers and modeled after an attack used in the Stuxnet worm. The attack, if successful, could cause industrial machinery controlled by S7 PLCs to “run wild.” It would also lower the bar for attacking industrial control systems, giving low-skilled hackers a point and click attack using Metasploit. 

Langner said he will demonstrate the attack on Sept. 20 at the 2011 ICS Cyber Security Conference in Washington, D.C. The show is hosted by Applied Control Solutions (ACS). Langer said the demonstration will leverage a Metasploit module written to automate a small, efficient attack against Siemens S7 systems, and that he described in July. In that post, Langner described an attack that used just four lines of code to freeze a Siemens PLC by causing it to skip the execution of its normal control logic. While freezing a PLC isn’t necessarily a precise attack, it can be carried out with a minimum or knowledge or overhead, because of the unique characteristics of industrial systems that PLCs control. 

“The physical process that is controlled by a controller operates in real-time according to the laws of physics. Now if the controller’s electrical outputs are frozen, the mechanical, hydraulical, chemical characteristics of the process don’t freeze too – they simply run wild, out of control. So for example drives continue to rotate, pumps continue to pump through valves that continue to be open – a recipe for creating scrap product and material damage. If this occurs not only at one station (= controller), but at multiple stations simultaneously, it is easy to end up with damage that might take the victim days to recover from,” Langner wrote. 
The attack is based on a method used by the Stuxnet authors, who figured out that by affixing attack code as a preamble to the legitimate control logic, meaning the code gets read at the beginning of each controller cycle. The Stuxnet authors figured that they could effectively disable the legitimate code by simply setting a trigger for the code which, when run, would cause the controller to jump back to the beginning of the operation block, skipping (and thereby disabling) any subsequent code, Langner said.
Langner’s wouldn’t be the first Metasploit module to target Siemens products. Three Metasploit modules are available for software made by the company, including two that exploit vulnerabilities on the company’s FactoryLink SCADA platform. In addition, Metasploit is known to be holding on to a number of exploit modules created for the S7 platform by Dillon Beresford of NSS Labs.  Those modules are being held under embargo.  

Langner did early work analyzing the Stuxnet worm and was among the first to speculate publicly that it was created specifically to target uranium enrichment facilities within Iran. He has subsequently warned governments and the private sector about the dangers posed by similar attacks on vulnerable industrial control systems or even Stuxnet variants. 

Suggested articles


  • Anonymous on

    Everyone in the industry knows that publicly including exploits in Metasploit is historically where the trouble starts. Langner and Beresford are going too far by playing with this stuff - dumbasses. Could present at private events instead.

  • Anonymous M on

    Too far is right. These guy's are getting paid to target the above said manufacturer and instead of really being concerned and offering security advise to protect our process of where I work and where our safety and the safety of our community is involved these so called security researchers are handing out the tool box and tools and a "how to guide". They have now created a name for themselves..bravo boy's good work (clapping) but what have you really done? If you even knew what a pump, valve, reactor or coriolis meter looked like, that's what makes me laugh. Do all of us a favor and remove the Security Researcher and good guy from your titles, oh and BTW.. just to enlighten both of you on Process Safety, PHA's, SIL levels which you will now scuridly google you regret to inform the media and public that critical process safety functions are seperate isolated ESD systems and those who fail to seperate those systems are the dumbasses who are asking for fail, just like the dumbass above wrote. 

    To increase the burn, try getting through our security at any of our sites to get "on the wire"



  • Anonymous on

    Now, Now... it's not like any of them have demonstrated this stuff at other conferences right? Please tell me I am right. right?!

  • Anonymous to above thread on

    Well said for a "PAID" consultant $$ Cha-Ching. 

    There you have it folks our tax dollars hard at work.

  • Previous thought from threatpost on

    What he did was illegal. Not that I think it should be although I wonder if the US government is going to go after him.

    I thik Dillon needs to move to China or STFU. If shit ever hits the fan, he will probably be seen as a traitor by the USA because of articles like this one.

    This researcher is living in a fairytale, "maybe china will think twice about attacking U.S. companies and acknowledge that they have problems and weaknesses as well."

    They will hit us twice as hard...

    Dillon is not your real name.

    Dillon is not your real name.

    One of the glaring inequalities that you may be overlooking, or intenionally not discussing, is the disparity between rewards.  Chinese espionage can yield more fruit breaking into US networks than the other way around.  There are few trade secrets or business practices in China that the US does not already know or use.  However, a few strategic compromises, and China has a new stealth fighter or better space capabilities.

    What this guy should have done is gone to the CIA or NSA with this. What China is going to do is throw some of their considerable resources at plugging these holes and continuing business as usual.

    Communist countries that imprison, torture and kill their dissidents arent going to start playing nice. It will be a real shame if we lost valuable securtity opportunities because of this.



    What a shame

    What this guy should have done is gone to the CIA or NSA with this. What China is going to do is throw some of their considerable resources at plugging these holes and continuing business as usual (hacking the us government and companies).

    Communist countries bent on dominace that imprison, torture and kill their dissidents arent going to start playing nice just because we do.  

    It will be a real shame if we lost valuable securtity opportunities because of this.


    Great job, keep up the good work. Research has a very good strategic advantage when it comes to cyber warefare.

    Regular little PollyAnna, IF what he's saying is true, and he isn't lying about or omitting backdoors...

    Perhaps bloggers would gain more credibility if they could a) spell correctly, especially in the opening paragraph; and, b) leave out irrelevant information like "...divorced father of one." Oh, and 'expert sources' like Dillon Beresford tend to use a more serious and analytical tone than: "The media hype in the U.S. is all about cyberwar and how the Chinese are kicking our ass." I stopped reading there. And, oh, I live in China and they ARE kicking our ass.

    This Beresford is a total idiot for reporting all of this to China CERT. The simple fact is that China is flat out waging an economic and cyber war against US Military and US corporations on a daily basis, stealing every bit of information they can get their paws on so they can be the dominant power in the world. Reporting this to them is practically a traitorous act in my opinion, you should turn it over to the US Gov (or the corporations for that matter) and even the playing field a little. I'm sure the Chinese would think twice about attacking us if it came right back around at them in return! Giving them this info is simply going to make their Gov laugh at how stupid westerners are to help them out. Playing nice and being helpful doesn't work against people that gun down peaceful monks and send the leftovers off to "reeducation camps". Get into reality pal.

    Ballsy.  I don't think I would be f***ing with the PLA or an aggressive foreign power's state secrets if I had children, Mr. Beresford.  I'm quite shocked you allowed your name and image to be published with this, seems pretty risky to me.  I mean, that IS the same country that has its own officials publicly executed for embarrassing its government.

    Though I have to wonder if a professional 'security researcher' does this stuff in his 'spare time', isn't he technically guilty of felony information system tampering?  I mean, he can hardly claim to have been legitimately contracted to pen-test China's infrastructure by its owners, right?  What makes him any different than someone who cracks systems for personal amusement or aggrandizement, otherwise known as an 'international criminal'?  Just seems like a confession to me, what if China asks to have him extradited to face prosecution?

    Seems it ought to at least violate NSS Labs' code of conduct for their white hats to be off playing black hat in their spare time, then publicly talking about it and identifying their employer.  Does NSS Labs condone this sort of thing?



    "...and 'expert sources' like Dillon Beresford tend to use a more serious and analytical tone..."

    Erm.. no. You're thinking of perceived credibility which is not at all the same thing. Just because a guy wears a suit and uses $5 words doesn't make him any more of an expert. The young, scruffy guy with 15 piercings and a Navy-grade foul mouth sitting across from him in the coffee shop likely could pwn (own) his computer while he's rattling on making people think he's an expert with his "serious and analytical tone." What this guy accomplished speaks for itself.

    Car salesmen make the same mistake when I walk into a Porsche dealer and they don't give me the time of day because I'm wearing jeans and a t-shirt and I'm 30 years old. Their loss...

    Do you think a country that starved/murdered 65 million of its own citizens in a "cultural" revolution would care if you shut down their power grid and a few million more died in the riots and resulting starvation? One of their "defenses" is a disregard for human life. To hurt them you would have to hurt the communist party or the military.

    Seems to be an excessive quantity of FUD in the comments...

    Mr. Beresford is just a script kiddie. He downloaded a bunch of leet toolz and haxord. Isn't he cool!

  • As for insight to those:= Leaky Pipes on


    In early 2008 the German company Siemens cooperated with one of the United States’ premier national laboratories, in Idaho, to identify the vulnerabilities of computer controllers that the company sells to operate industrial machinery around the world — and that American intelligence agencies have identified as key equipment in Iran’s enrichment facilities.

    Siemens says that program was part of routine efforts to secure its products against cyberattacks. Nonetheless, it gave the Idaho National Laboratory — which is part of the Energy Department, responsible for America’s nuclear arms — the chance to identify well-hidden holes in the Siemens systems that were exploited the next year by Stuxnet.

    The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.

    The attacks were not fully successful: Some parts of Iran’s operations ground to a halt, while others survived, according to the reports of international nuclear inspectors. Nor is it clear the attacks are over: Some experts who have examined the code believe it contains the seeds for yet more versions and assaults.

  • Anonymous on

    That a site is using expensive industrial equipment doesn't mean they'll have the resources to actually secure their stuff. Resources means time and money. Some "plants" work without anyone being there - you send out an repair party ("one dude with a hammer") when something breaks. Hence the need for remote access for dialy operation. Well, VPNs do not setup themselves.

    Hacks like that do not show that the administrator of that net was "stupid" - it is likely they didn't have one at all. IT-Company sets it up, tweaks it until it works, checks by one a year - makes a recommendation about security, endures the wailing about the cost for one hour, gives up.

    It is a problem of budget allocation and ultimately money. A seasoned admin can do a lot with free tools, but you need to have one first. And he should be able to actual security work, not pushing the mouses of other people around or fill out endless tickets or change requests.

    A security policy doesn't help if people don't get the time to implement it. It doesn't help if nobody actually THINKS about it before it is finished.

    An IPS/IDS doesn't help if people don't get the time to care for them.

    A SIEM is so worthless when there is no one monitoring them and no one there to respond to actual incidents.

    A firewall is so worthless when people do not have more time than set "ALLOW ANY <=> ANY"

    An incident response team doesn't help when they're abused for for complaince checks in order to fuel internal power games. 

    Patches by the vendor don't help if nobody has the time to test and install them.

    Network seperation doesn't help if people are always in a hurry and plug in their notebooks all the time.

    Without time and resources, the hackers get you.

    With time and resources, the managers will get you because you "do not produce revenue"


Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.