Programmable Logic Controllers (PLCs) are increasingly connected and integrated into the Industrial Internet of Things (IIoT) for a better network connectivity and a more streamlined control process. But in fact, this brings also its security challenges and exposes them to various cyber-attacks targeting the physical process controlled by such devices. In this work, we investigate whether the newest S7 PLCs are vulnerable by design and can be exploited. In contrast to the typical control logic injection attacks existing in the research community, which require from adversaries to be online along the ongoing attack, this article introduces a new exploit strategy that aims at disrupting the physical process controlled by the infected PLC when adversaries are not connected neither to the target nor to its network at the point zero for the attack. Our exploit approach is comprised of two steps: 1) Patching the PLC with a malicious Time-of-Day interrupt block once an attacker gains access to an exposed PLC, 2) Triggering the interrupt at a later time on the attacker will, when he is disconnected to the system’s network. For a real attack scenario, we implemented our attack approach on a Fischertechnik training system based on S7-1500 PLC using the latest version of S7CommPlus protocol. Our experimental results showed that we could keep the patched interrupt block in idle mode and hidden in the PLC memory for a long time without being revealed before being activated at the specific date and time that the attacker defined. Finally, we suggested some potential security recommendations to protect industrial environments from such a threat.

中文翻译：

---

S7-1500 PLC 上的新注入威胁 - 离线中断物理过程

可编程逻辑控制器 (PLC) 越来越多地连接并集成到工业物联网 (IIoT) 中，以实现更好的网络连接和更简化的控制过程。但事实上，这也带来了其安全挑战，并使它们面临针对此类设备控制的物理过程的各种网络攻击。在这项工作中，我们调查了最新的 S7 PLC 在设计上是否存在漏洞并且可以被利用。与研究社区中存在的典型控制逻辑注入攻击（要求攻击者在持续的攻击过程中在线）相比，本文介绍了一种新的利用策略，旨在在攻击者不在的情况下破坏受感染 PLC 控制的物理过程在攻击的零点处既不连接到目标也不连接到其网络。一旦攻击者获得对暴露的 PLC 的访问权，时间中断就会阻止，2) 当攻击者与系统网络断开连接时，稍后会在攻击者上触发中断。对于真实的攻击场景，我们使用最新版本的 S7CommPlus 协议在基于 S7-1500 PLC 的 Fischertechnik 培训系统上实施了我们的攻击方法。我们的实验结果表明，我们可以将修补的中断块保持在空闲模式并隐藏在 PLC 内存中很长一段时间，而不会在攻击者定义的特定日期和时间被激活之前被泄露。最后，我们提出了一些潜在的安全建议，以保护工业环境免受此类威胁。