Setup and exploit a Physical ICS LAB: S7comm: Part1

biero llagas
7 min readOct 15, 2023

Foreword

Hello everyone, and welcome to this new article about setting up an ICS network lab based on the s7comm protocol.

The aim of this article is to share my experience of setting up my environment, the equipment I used and the processes I applied to make it work.

This series of articles will be in two parts,

The 1st will focus on setting up and networking the various pieces of equipment in the LAB.

The 2nd will cover programming, interaction and operation of the SIEMENS LOGO! PLC via the s7comm library.

Introductions

This LAB aims to deepen the understanding of a production or test environment in which industrial control equipment is used.

The creation of this lab would open up some very interesting opportunities, for example:

  • Test various open source tools and projects related to ICS equipment.
  • Test legaly the different exploits available
  • Monitor and analyse attack that can occur on the network .
  • Make custom rule that can be implemented in a soc.

As you’ve understood, setting up a lab can boost possibilities, and provide in-depth analysis of events and actions.

Network requirements & architecture

The specifications for the 1st version of this lab is the following:

  • Creation of LANs.
  • Each LAN will have a function (build , run , R&D, etc…).
  • A router will be placed between the LANs to filter and segment assset betwen LANs.
  • Each LAN will have the following mask 255.255.255.0
  • IP range will be set to 10.x.x.0/24
  • Gatway will be set on the first ip of the lan 10.x.x.1/24

As you can see, nothing very impressive, but it’s more than enough for our needs.

Equipement & hardware

The equipment we will need is as follows:

- a router.
- one switch per LAN.
- PLCs
- one or more computers.
- RJ45 cables (1 per device)

here’s the equipment I chose and why I chose it.

Note: the pricetag is the one during the time of writing (October 2023)

Router

For the choice of router, I wanted to have equipment that would last well, and that could be multi-tasked for future projects.

so I opted for the Fortigate 60D

not too expensive for the type of equipment, has the possibility of active monitoring of incoming and outgoing flows, perfect for analyzing the attacks we could carry out.

Price: 200 euro

Switch

for the switches, it’s not a choice, but an opportunity that was offered to me, the switches that I have are switches that I borrowed or that were given to me.

The first one is the netgear FS105 a base 100 Ethernet switch.

Price: 10 euro

The second is the netgear GS308E a base 1000 Ethent smart switch.

Price: 35 euro

PLCs

So here we are, at the heart of the matter, PLCs.
as explained, this LAB will be SIEMENS-oriented, so we need equipment …….. SIEMENS is good you follow.

My choice fell on two pieces of equipment.

LOGO!

the 1st is the Siemens LOGO! it’s primarily used in building automation, as we’ll see later, but it’s also one of the PLCs that can interact with the s7comm python library.

the adventage of this PLC and also its existing exploit, its web interface, in addition to the accesibility of its firmware.

Please note that software is required to program this PLC (LOGO! SOFT CONFORT V8).

Price: 150 euro + 60 euro (software)

SIMATIC S7–1200 1214C

We’re starting to get into the long names. But don’t worry, we’ll get to the bottom of it.

SIMATIC is a series of programmable logic controller and automation systems, developed by Siemens. Introduced in 1958, the series has gone through four major generations, the latest being the SIMATIC S7 generation. The series is intended for industrial automation and production.

So SIMATIC is the model S7–1200 is the PLC and 1214C is the versions of the PLC.

The choice of this PLC was quite simple: the exploits that exist, the network attack surface, compatibility with the OPC UA protocol, monitoring capabilities, and above all the good old stuxnet and other PLC blasters that proved that air gap networks don’t exist. Also the price is quite resonable (from 250 to 400 euro)

Note that the input is only 24V, so if you don’t have a converter at hand, there’s an official 230V<=>24V converter for about 100 euros.

A software is necessary to connect and develop on your s7–1200, the Siemens SIMATIC STEP 7 Basic V18 software for 390 euro.

The tia portal setup has already been the subject of an article I wrote, so I’ll redirect you to it.

Price: 400 euro + 100 euro + 350 euro

Note: I didn’t tell you, but there is a way to reduce the 350 euro bill if you do a little research on the internet.

Computer

you can take any computer as long as Windows can run on it, but I recommend at least 8GB of ram and 150GB of disk space.

A single computer can be enough for the lab.

For RJ45 cables, as long as they’re not cut and are more than 30cm long and less than 15 meters long, they should be fine.

Here are the network diagrams of the different equipment, linked with their respective configurations.

And now the moment you’ve all been waiting for

Configurations Time

Warning: s7–1200 configurations will not be covered here, but in a series of articles dedicated to OPC UA.

Computer Configurations:

the network configuration of the PCs on the dedicated LAN, and the following.

Note that to connect to the Fortigate via the web interface, you need to go to the ip http://192.168.1.99

SIEMENS LOGO!

to configure the siemens LOGO! networks. This is done directly on the PLC, using the buttons and go to Network => IP Address => and change the ip, mask and gateway according to our parameters.

Fortinet FortiGate 60D

To begin with, I’d like to point out that I’m not an expert in fortinet configurations, to be honest this is the 1st time I’ve worked with them. So apologies in advance if the configurations seem a little too basic for the moment.

Activating physical interfaces

First, we need to “free” the physical interfaces from “internal”. To do this, go to Network => Interface => internal.

Personally, I’m going to use interface 4 (OT-PROD) and 5 (OT-DEV)

LAN atributions

Next, we’ll assign LANs to the two selected interfaces. To do this, right-click on the desired interface => edit

Routing

For the moment, the machines can’t connect to each other, as we haven’t yet defined the communication flows (routes) between them.

The parameters to be applied for route setup are in Policy & Object => IPv4 Policy

Add two new rules, one allowing connections from OT-DEV to TO-PORD and one allowing connections b

Between OT-PROD and OT-DEV.

At the end you should have this.

And now you have a working LAB if it’s not working you can test the following verifications process.

Verifications

To check whether the configuration works, you can perform the following tests

  • Ping your LAN gateway.
  • Ping the gateway of the LAN you wish to contact.
  • From your Windows machine, try to contact the SIEMENS LOGO! WEB server.

Conclusion of part 1

this is part 1, we’ve got setup, now we’re going to see how to program a simple application on the logo! and see if it’s possible to send it instructions, or make it perform actions without being physically on site or without having a hand on the machine that developed the application.

see you.

--

--