No Need to be Online to Attack - Exploiting S7-1500 PLCs by Time-Of-Day Block

In this paper, we take the attack approach introduced in our previous work [8] one more step in the direction of exploiting PLCs offline, and extend our experiments to cover the latest and most secured Siemens PLCs line i.e. S7-1500 CPUs. The attack scenario conducted in this work aims at confusing the behavior of the target system when malicious attackers are not connected neither to the victim system nor to its control network at the very moment of the attack. The new approach presented in this paper is comprised of two stages. First, an attacker patches the PLC with a specific interrupt block, Time-of-Day, once he manages successfully to access/compromise an exposed PLC. Then he triggers the block at a later time the attacker wishes when he is completely offline i.e., disconnected to the control network. For a real-world implementation, we tested our approach on a Fischertechnik system using an S7-1500 CPU that supports the newest version of the S7CommPlus protocol i.e. S7CommPlus v3. Our experimental results showed that we could infect the target PLC successfully and conceal our malicious interrupt block in the PLC memory until the very moment we already determined. This makes our attack stealthy as the engineering station can not detect that the PLC got infected. Finally, we presented security and mitigation methods to prevent such a threat.