How to set up an OT analysis lab: S7comm protocol.

5 min readJan 8, 2023

A lazy tutorial on how to make a test environment for siemens oriented OT equipment, especially on the siemens S7–1500.

Foreword

First of all, this tutorial is intended for people who already have a little background in networking.
It will not focus on the technical aspect of the protocol and the environment, see it as a way to setup your technical environment, not to understand it completely.

There are several links to other resources, so it’s best to consult them all. Think of this article as an archive that collects the elements you need to do your lab.

At the end of this article, you should have an environment that should allow the analysis of OPC UA and s7comm protocols, have a graphical representation of your PLC, and control your PLC via UAExpert with the OPC UA protocol.

SOFTWARE INSTALL.

Install and set up the following software (zip mdp and plc4me or plc4me.com)

TIA Portal v18: PLC environment simulations and programming software for siemens products.
Advenced PLCSIM
factoryio: Graphic representations of the production environment
UaExpert: Allows the control and monitoring of plc's via the OPC UA protocol
UA expert: Allows to monitor the OPCUA server of plc via the eponymous protocol

At the end there must be at least these two icons on your desktop.

Once this is done, you have to activate the licenses.

P.S: the initial way to do it whas by an executable who install a cryptominer on your system. so it think you need to purchase a licence.

Once the certificates are added you can start using TIA portal.

Good tutorial to start understanding tia portal.

Intall of factoryio

Here the install link of factoryio

PLC emulations for analysis in a LAN

The following procedure will allow to analyze the network traffic between plc, factoryio and ua expert.

It is necessary to configure the network interface which corresponds to the network card of Siemens.

Here are the parameters to assign in the software Advenced PLC SIM.

Personally, I don’t like to reinvent the wheel, so voice a very good tutorial to set up the connection between factoryIO and advenced plcsim
if the connection and set the network card should be present.

Here is my configuration for example.

To have a basic scene refer to this tutorial, just load the scene and connect the TIA with the plcsim s7–1500.

We should have the following settings on factoryIO to connect.

Confirmations of the comunications between FactoryIO and adven ce PLC SIM with wireshark.

Once this is done, we can have a complete lab

For the moment, we don’t have the OPCUA connections. in this short part which is based on a tutorial in french (sorry for the non french speaking).

OPC UA protocol

Since this part takes into account elements in French, I put here a description in English so that all readers understand the basic principle of the protocol.

OPC UA (Open Platform Communications Unified Architecture) is an industrial communication protocol developed for secure, reliable, and platform-independent data exchange in industrial automation. It provides an extensible framework for the integration of real-time distributed systems and is suitable for use in a wide range of industrial applications, including process control, data acquisition, and machine-to-machine communication. OPC UA supports a wide variety of data types and is designed to be highly secure, reliable, and scalable.

I advise you to watch this video if you understand French before starting this part of the tutorial.

In this video , we have an almost complete setup of a plc siemen S7–1200. however, advenced PLC SIM can only emulate the S7–1500. this does not change much, if you just use a S7–1500 that supports the OPC UA service.

example of succes of the tutorial.