VAPT: Siemens S7 1200/1500 Project Password Vuln

[groot]

I specialize in industrial cybersecurity, with a current research focus on the security mechanisms in Siemens TIA Portal—specifically FB/POU and project password protection. My work involves testing these features up to TIA Portal V20 and analyzing their impact on engineering workflows in OT environments.

 

During authorized testing on S7-1200 and S7-1500 PLCs with TIA Portal V19, I successfully retrieved project data. A core finding is the significant role of version compatibility in data accessibility. Additionally, this exercise reinforced that project protection settings are a critical variable, directly influencing recoverability and must be carefully considered in security research and OT risk assessments.

 

My hands-on experience is primarily with S7-1200 and S7-1500 PLCs, spanning programming, troubleshooting, and authorized security testing. I'm here to share insights from my research, discuss practical implications, and learn from others in the OT security community.

Looking forward to your insight !

[pigroplc]

Most of the time, TIA projects are requested to be fully accessible, especially after the warranty has elapsed, with the exception of safety software. Possible external attacks are prevented because the machine network is protected by trusted remote connectivity and IIoT solutions.

Automotive, home appliance, and pharmaceutical factories often do not want their machines to be connected to a reachable network.

[drn5]

Il 09/12/2025 alle 12:51 , groot ha scritto:

Looking forward to your insight !

Password protection is applied on Safety Blocks when plc has a safety I/O cards or to communicate via ProfiSafe connection to other devices or machine in order to grant safety policy rules. In my application I used password protection on code blocks developed by myself on my own idea only.

[groot]

Thanks for your response.