Throughout my whole life I was fascinated by industrial machines, automated production and process technology. In 2017 a customer asked whether we could "program a machine" for him, which I definitely confirmed. After discussing which technology to use for the main control system inside this machine, we agreed on a Siemens Simatic S7 PLC. I preferred to use an embedded system instead of a PLC but the customer insisted on Siemens products for his machine, so we implemented a "Siemens". (PLC programming was completely new for me at this time, but still now, I prefer embedded systems or embedded controllers over PLCs because they are not limited in their functionality.)
Anyhow, this article should not be about discussing weird programming-approaches of PLCs, it is about enhancing the security in your PLC programs and projects. The main advantage in PLC programming is, that it is quite easy to do. You can learn it relatively fast (it took me about 14 days from zero PLC knowledge until I started my first project) and you do not need any (advanced) knowledge in computer programming or network technology. This advantage is the main drawback as well, because by neglecting some fundamentals you normally learn from e.g. network security, you may put in some large security leaks into your PLC program. REMEMBER: The PLC will be used inside a machine which is most likely connected mechanically, physically, electronically (or in any other way) to other machines inside a production plant which can lead to severe consequences when a malicious attacker exploits or captures your PLC.
In my recent article about python and how to build a network scanner we discussed two possibilities for finding available hosts on the local network. The next step is to find open ports for a single host on the network.
This can be achieved by finding the open ports. This is called port scanning. Every service on a machine offers connections to clients by registering a port number at the local operating system. This port is then bound to this service (server process). A host can run multiple services and by checking all possible ports, we can find out which services are running on that host.
The following code block takes an IP address and a port number as input, checks whether the specified port is open and in the case of success the port number is returned.
When it comes to penetration testing or just a simple analysis the network scanner is one major tool for analyzing which hosts are available on the local network. Today there exist lots of tools, but depending on what you want to do it is a good idea to write your own analysis and penetration testing tools.
In this case we start with a simple network scanner, which lists the available hosts on your network. To get this done there are two (basically some more, but we stick to the two simplest ones) possibilities:
- ICMP Echo Request
- TCP Scan