Technion research team takes control of Siemens’ secure controllers
Nadav Adir and Alon Dankner, graduates of the Henry and Marilyn Taub Faculty of Computer Science, presented a dramatic achievement in the world of cybersecurity at the Black Hat USA conference in Las Vegas – the takeover of Siemens’ new controllers which are among the most secure in the world, by breaking the secure communication protocol. Adir and Dankner’s research was conducted at the Technion, together with graduates Ron Freudenthal and Or Keret, under the guidance of Prof. Eli Biham, head of the Hiroshi Fujiwara Cyber Security Research Center at the Technion, and Dr. Sara Bitan, a senior researcher at the center. Siemens updated the communication protocol of the controllers following research presented by the group at the 2019 conference.
The practical significance of this achievement lies in the fact that these controllers are used in a wide range of systems, including critical systems such as aircraft, vehicles, production lines, power stations, gas and oil pipelines, smart homes, traffic lights, and even nuclear reactors. This is why Adir and Dankner were invited to the Black Hat conference—an international prestigious event where the latest relevant knowledge in cybersecurity is presented. The Technion researchers hope that the takeover, which was of course demonstrated on isolated controllers not integrated into essential systems, will help Siemens improve its security mechanisms.
The Technion research group, led by Prof. Biham and Dr. Bitan, has previously participated in Black Hat conferences three times, in 2019, 2022, and early 2024. In August 2022, the group presented at the Black Hat USA conference the cracking and takeover of Siemens’ smart controller, and the research findings were shared with Siemens to improve the product’s security. According to Prof. Biham, “Our series of appearances at Black Hat conferences repeatedly advances the security of these systems, and it is part of long-term research aimed at improving the security of control systems. Indeed, Siemens has made changes to its security mechanisms following our research.”
The Technion researchers’ attack was carried out on the CPU 1515SP controller software and for the first time took control of the software common to all controllers in the series. According to Dr. Bitan, “The successful attack in 2022 exposed potential weaknesses in this controller and other controllers in the series and reinforced the need to enhance security measures on such controllers.”
Siemens controllers are found at various critical junctions, including nuclear reactors. This issue made headlines about 15 years ago when a breach of Siemens controllers via the Stuxnet computer worm led to significant damage to the reactors in Natanz, Iran. Stuxnet is considered one of the most destructive malwares, as it allows not only damage to controllers but also the concealment of that damage.
According to Dr. Sara Bitan, “The damage is done both on the way to the controller, thereby impairing its function, and on the way out, creating a false appearance to the monitoring systems as if everything is fine. As mentioned, Siemens made changes to the controllers’ security protocol, but we were able to identify a loophole that allows an attacker to disrupt secure communication with the controller, enabling us to both influence its operation and conceal the damage externally.”
The modern world of encryption is entirely based on the use of a pair of keys mathematically related to each other: a public key for encryption and a private key for decryption. The private key is supposed to be kept in a “safe,” in Siemens’ case, in a secure area within the controller. The Technion researchers managed to penetrate this secure area and extract the private key, thereby gaining control over both inbound and outbound communications.
In recent years, Siemens has tightened security on these controllers through version updates, and last August, it published an article stating that “successful digitization always requires extensive cybersecurity. Although such security is always an integral part of modern controllers, it is important to remember that Siemens offers a wide range of products and services designed to enhance cybersecurity.” Despite the company’s promises and efforts, the Technion group managed, as mentioned, to take control of the software in these updated controllers.