S7comm - Siemens SIMATIC PLC protocol exploited by Stuxnet
S7comm (port 102, ISO-TSAP) - Siemens SIMATIC S7 protocol, no authentication, the Stuxnet attack, S7comm-plus, segmentation recommendations for networks with Siemens PLCs.
When security researchers analyzed the Stuxnet code in 2010 - the first cyber weapon targeting industrial infrastructure - they discovered that the worm communicated with Siemens SIMATIC S7-300 and S7-400 PLCs using their native protocol: S7comm. This proprietary protocol, designed decades earlier solely with functionality in mind, had no authentication or encryption mechanisms. Stuxnet exploited this weakness to upload malicious code to controllers operating gas centrifuges at Iran’s Natanz facility - forever changing the perception of industrial protocol security.
How S7comm works
S7comm (S7 Communication) is a proprietary Siemens protocol for communicating with SIMATIC S7 family controllers. It is used by engineering software (TIA Portal, STEP 7), SCADA systems (WinCC), and HMI panels for programming, configuring, diagnosing, and monitoring PLCs.
The protocol operates at the application layer, using ISO-on-TCP (RFC 1006) transport on TCP port 102. The protocol stack is as follows:
| Layer | Protocol |
|---|---|
| Application | S7comm / S7comm-plus |
| Presentation | COTP (ISO 8073, Connection-Oriented Transport Protocol) |
| Session | TPKT (RFC 1006, ISO Transport Service on TCP) |
| Transport | TCP |
| Network | IP |
S7comm frame structure
Each S7comm packet is encapsulated in TPKT (RFC 1006) and COTP (ISO 8073):
Protocol ID is always 0x32 - this is the signature for identifying S7comm in network traffic. The Msg Type field specifies the message type (0x01 = Job Request, 0x02 = Ack, 0x03 = Ack-Data, 0x07 = Userdata).
S7comm message types
S7comm supports three main message types:
- Job Request - request from the client (e.g. TIA Portal) to the server (PLC): read/write variables, upload/download program blocks, start/stop CPU
- Ack / Ack-Data - acknowledgement with or without data
- Userdata - diagnostic messages, programming messages, cyclic data transfers
S7comm operations and their risk:
| Operation | Function Code | Risk | Description |
|---|---|---|---|
| Read Variable | 0x04 (Read Var) | Low | Reading values from DBs, Merkers, I/O |
| Write Variable | 0x05 (Write Var) | High | Writing values - changing process parameters |
| Upload Block | 0x1D-0x1F | Critical | Downloading program from PLC (code reconnaissance) |
| Download Block | 0x1A-0x1C | Critical | Uploading new program to PLC - exploited by Stuxnet |
| Start/Stop CPU | 0x28/0x29 | Critical | Changing controller operating mode RUN/STOP |
| PLC Control | 0x28 | Critical | Activating uploaded program, memory compression |
| SZL Read | (Userdata) | Medium | Reading diagnostic information - reveals model, firmware, configuration |
Technical parameters
| Parameter | Value |
|---|---|
| Port | 102/TCP (ISO-TSAP) |
| Transport | ISO-on-TCP (RFC 1006) + COTP (ISO 8073) |
| Authentication | None (S7comm), CPU password and Access Level (S7-1200/1500), challenge-response (S7comm-plus) |
| Encryption | None (S7comm), TLS optional on S7-1500 with FW >= V2.0 |
| Integrity | None (S7comm), HMAC in S7comm-plus |
| Standard | Proprietary (Siemens) |
| Applicable devices | SIMATIC S7-300, S7-400, S7-1200, S7-1500, ET 200SP |
Evolution - from S7comm to S7comm-plus
S7comm (original)
The original S7comm protocol, used in S7-300 and S7-400 controllers, has no security mechanisms whatsoever. Any host on the network capable of establishing a TCP connection on port 102 can:
- Read any process variables
- Write values to data blocks
- Upload a new program to the PLC
- Switch the CPU between RUN and STOP modes
The only “protection” is an optional CPU password (know protection password) - transmitted in cleartext and easily intercepted.
S7comm-plus (V3)
Siemens introduced S7comm-plus (also referred to as S7 Communication V3) in S7-1200 (from firmware V4.0) and S7-1500 controllers. The new protocol adds:
- Integrity mechanism - messages are signed using HMAC, preventing packet modification in transit
- Program protection - program blocks can be encrypted and digitally signed (Know-How Protection, Copy Protection)
- Access Levels - four access levels (Full Access, Read Access, HMI Access, No Access) with passwords
- TLS - S7-1500 controllers with firmware V2.0+ support TLS encryption for communication with TIA Portal
But even S7comm-plus has limitations: the integrity mechanism was broken by Claroty researchers (Biham, Bitan, Elata, 2019), who demonstrated the ability to forge messages and upload unauthorized code to S7-1500 PLCs. Siemens released patches, but older firmware versions remain vulnerable.
Security assessment
Stuxnet - S7comm as an attack vector
Stuxnet (2009-2010) is the most widely known attack exploiting S7comm. The worm:
- Infected engineering stations with STEP 7 software
- Hijacked the
s7otbxdx.dlllibrary responsible for S7comm communication with PLCs - Used the hijacked functions to upload malicious code (OB1, OB35, FC blocks) to S7-315 and S7-417 controllers
- The malicious code manipulated the operating frequency of Vacon and Fararo Paya frequency converters driving gas centrifuges
- Simultaneously falsified data returned to the SCADA system, showing operators normal operating parameters
Stuxnet proved that the lack of authentication in S7comm is not an abstract threat but a real attack path enabling the destruction of physical infrastructure.
Other vulnerabilities and incidents
- CVE-2019-13945 - S7-1200 controllers with firmware < V4.4 allowed bypassing program protection and reading PLC code despite a set password (Airbus CyberSecurity, 2019)
- CVE-2022-38465 - a critical vulnerability (CVSS 9.3) in S7-1200 and S7-1500 enabling extraction of the private key used to protect configuration and communication. Claroty Team82 researchers demonstrated that with the key, an attacker can impersonate TIA Portal and upload arbitrary code to the PLC
- PLC bluestopping - researchers Ralf Spenneberg, Maik Brueggemann, and Hendrik Schwartke presented at Black Hat USA 2016 a PLC-to-PLC worm spreading between S7-1200 controllers via S7comm without engineering station interaction
- Public tools - Snap7 (open-source library), ISF (Industrial Security Framework), and Metasploit modules enable full S7comm interaction: variable read/write, block download/upload, CPU RUN/STOP switching
MITRE ATT&CK for ICS
| Technique | ID | S7comm context |
|---|---|---|
| Program Download | T0843 | Uploading malicious program to PLC (Stuxnet) |
| Change Operating Mode | T0858 | Switching CPU from RUN to STOP |
| Manipulation of Control | T0831 | Writing values to data blocks (DB) |
| Spoof Reporting Message | T0856 | Falsifying data returned to SCADA |
| System Firmware | T0857 | Modifying controller firmware |
Stuxnet is cataloged as S0603 in MITRE ATT&CK for ICS, directly linked to techniques T0843, T0856, and T0831.
Segmentation and protection recommendations
TIP
Siemens S7-300 and S7-400 controllers with the original S7comm cannot be secured at the protocol level. The only effective protection is network isolation and strict access control to port 102. Organizations with critical processes running on S7-300/400 should treat migration to S7-1500 as a security priority. Detailed OT network segmentation guidelines - including the IEC 62443 zones and conduits model - are described in the article OT network segmentation - zones and conduits.
Key recommendations
-
Isolate port 102 - access to TCP port 102 on PLCs should be restricted exclusively to authorized engineering stations and SCADA servers. On the OT firewall, define an allowlist of IP address pairs. Block and log all other traffic to port 102.
-
Update firmware - S7-1200 controllers should run firmware >= V4.4, and S7-1500 on the latest available version. Each firmware update improves S7comm-plus security mechanisms.
-
Enable Access Level Protection - on S7-1200/1500 controllers, configure access levels with strong passwords. Set “HMI Access” as the default, grant “Full Access” only to engineering stations and only during maintenance.
-
Enable TLS - on S7-1500 with firmware >= V2.0, configure encrypted communication with TIA Portal. This requires X.509 certificates - Siemens provides Global Certificate Manager in TIA Portal V17+.
-
S7comm monitoring - deploy passive OT network monitoring with an S7comm decoder (Nozomi Networks, Claroty, Dragos). The system should alert on: program downloads to PLC, CPU mode changes, SZL reads from unknown sources, S7comm communication from devices that are not engineering stations.
-
Engineering station protection - the station with TIA Portal / STEP 7 is the attacker’s most valuable target. Hardening: a dedicated offline computer (not connected to the corporate network), encrypted disk, MFA, application whitelisting, regular backup of PLC projects.
-
Physical protection of the mode switch - S7 controllers have a physical mode switch (RUN/STOP/MRES). Ensure controller cabinets are locked and physical access is restricted.
Summary
S7comm is a protocol that entered OT cybersecurity history through Stuxnet. The original S7comm (S7-300/400) offers no protection mechanisms - any host on the network can read data, change the program, and stop the controller. S7comm-plus (S7-1200/1500) introduces significant improvements: HMAC, Access Levels, optional TLS - but even these mechanisms have been repeatedly bypassed by security researchers. In environments with Siemens controllers, network segmentation, S7comm communication monitoring, and engineering station protection are the absolute security minimum.
Open source tools
| Tool | Language | Description | Link |
|---|---|---|---|
| Snap7 | C | Native S7 communication library, supports S7-300/400/1200/1500 | SourceForge |
| python-snap7 | Python | Python wrapper for Snap7 - scripting reads/writes to PLCs | GitHub |
| s7scan | Python | Security audit of S7 controllers - version and configuration identification | GitHub |
| plcscan | Python | PLC discovery in the network | GitHub |
| Wireshark | C | Built-in S7comm dissector - traffic analysis on port 102 | Wireshark |
TIP
python-snap7 allows scripting interactions with Siemens PLCs: client.read_area(areas.DB, 1, 0, 100) reads 100 bytes from DB1 block - useful for verifying that network segmentation actually blocks unauthorized access.
Sources:
- Stuxnet - S0603 - MITRE ATT&CK for ICS
- A Deep Dive into Siemens S7 Communication - Cheng Lei, Li Donghong, Ma Liang, 2017
- Rogue7: Rogue Engineering-Station Attacks on S7 Simatic PLCs - Claroty Team82, Biham et al., 2019
- CVE-2022-38465 - Siemens SIMATIC S7 Key Extraction - Claroty Team82, 2022
- PLC-Blaster: A Worm Living Solely in the PLC - Spenneberg, Brueggemann, Schwartke, Black Hat USA 2016
- IEC 62443 - Industrial communication networks - IT security - IEC
- Siemens Industrial Security - Siemens AG
- NIST SP 800-82 Rev. 3 - Guide to OT Security - NIST, 2023
Need help in this area?
Our experts will help you assess the risk and plan next steps.