Hi,

I'm doing a vulnerability assessment for a third party. We are not related nor have any experience with Siemens what-so-ever. Yet, I need to assess the S7-300 on the details shown below. I have spent hours going through manuals, but I believe I may be trying the wrong approach.

The idea is that for the core or main module of the S7-300 (latest version of HW/FW) determine whether the S7-300 will (all questions related to Ethernet connections only):

1. Be capable of having Telnet connections.

2. Be capable of having SSH connections.

3. Be capable of having Web-based (HTTPS) connections in some way.

4. Or in any way that is not through the Simatic programming software, can a person access it to do any changes on it? (other than the ways mentioned above)

5. If there's a way to access it, how and how may one set a password?

6. Is there several users accounts/levels that one may use to access the PLC over the network?

7. Does it have Syslog capabilities to a server?

8. Can it be synced to an NTP server?

9. How to do a backup of a running configuration of the S7-300 into a computer or storage device.

Thanks a lot. Like I stated above, we're only interested on Ethernet capabilities. Any profinet or industrial protocol that is not Ethernet is not within scope.

As well, if anyone knows of a manual where I may find all of this info summarized would be extremely helpful. For I have not been able to find one.

AL

Hi Daniel,

I really appreciate your response.

You actually nailed the one for the password protection. I'm looking for instructions or steps exactly like that for all of it. Basically, say the main regular CPU can be accessed through a telnet connection. And, that telnet connectivity can be disabled from the PLC configuration. Then, I need to provide the instructions on how to disable it as it would be a vulnerability.

I did find how to syslog, using a library on a topic/forum.

Thanks, I really appreciate your assistance.

AL

Hello AL;

Somehow I believe the following documents can be of help. It seems password protection is not effective agaist Telnet or other intrusions, and cybersecurity measures are the only protection suggested by Siemens.  I have found no document from Siemens showing the possibility of disabling Telnet and other accesses on their CPUs.

Network security - Siemens

Exploiting Siemens Simatic S7 PLCs - Black Hat

If we were to compare ISO-TSAP to the TELNET protocol or HTTP, we will find some commonalities. Everything is transmitted in plain text, for example. If an attacker were to record the traffic, they could easily extract data such as user names, passwords, commands, negotiated sessions, logic, etc. Any of these variables could lead to a full system compromise of the PLC. Attackers could also perform a man in the middle (MITM) attack against the engineering workstation while it is transmitting information to the PLC. Interestingly enough the Simatic PLCs under test, use each of these protocols, and services. The S7- 300 has a telnet server and web server running on it, and the S7-1200 supports both HTTP and HTTPS (the proprietary Siemens PLC web server is known as “SimaticHTTP.”) These have yielded some interesting results during my fuzzing session against the S7-300 and S7-1200.

Hope this helps,

Daniel Chartier

Hi Daniel,

Thanks again a lot.

I finally found what I needed, or most of it from this manual:

https://support.industry.siemens.com/cs/ww/en/view/109745536

I truly appreciate the assistance.

Thanks,

AL