Möjligheter och problem vid analys av fientlig kod riktad mot Siemens S7-serie


  • Arne Vidström

Publish date: 2012-12-28

Report number: FOI-R--3567--SE

Pages: 34

Written in: Swedish


  • Siemens
  • S7-300
  • S7-400
  • S7-1200
  • MC7
  • STL
  • S7 protocol
  • Stuxnet
  • malware


This report describes possibilities and obstacles related to the analysis of malware that targets the Siemens S7 series of PLCs (Programmable Logic Controller). The focus is on undocumented functionality since it is one of the largest obstacles in such analysis before one has obtained the relevant knowledge. Retrieving general information from blocks of malware turned out to be possible. It is also possible to identify which platform(s) such blocks are targeting based on general features of the machine code, even on completely undocumented platforms. This also makes it possible to construct automated tools for platform identification. On the other hand, it is more complicated to figure out exactly what the malware does, even though there seems to be ways forward in that area too. Overall we have reached a comparatively high level of knowledge when it comes to the low level functionality in Siemens S7. This kind of knowledge is generally limited to some developers of PLCs within Siemens, and to a few experts outside of Siemens.