Continuing with CPU Protection Part I and Part II I will present to you a tool that can help us to obtain the protection level password if it has been configured to control the access to a PLC CPU. In this case, a S7-300 SIEMENS controller.
Its name is PSS and the last version that I have found is 1.83. I have tested it on S7-300 but the author refers to other software over the ones known to be used for the same purpose such as STEP7, MicroWIN, WINCC, LOGO, etc. Please click the “?” symbol on the bottom right corner for more information.
Although some of them can be obsolete, we know that the lifecycle of OT devices and technologies is longer than IT equipment. For this reason, nowadays this tool can be useful to audit or assess even when the software is very old.
To obtain it, we must select the directory which stores the project with the device that has a password configured.
After this, press right click button and select “Start Scan”.
Few seconds later we will see the password in plain text if it has been detected. In this case “ICS2020”.
Note if you change this password and assign another, apparently, it will still be stored because if you repeat the process you can see the previous ones.
This tool can be useful to recover forgotten passwords, but it can be used if somebody has unauthorized access to the system or media that stores them. It is not enough to establish a backup plan only; it is also necessary to protect the PLC program copies.
It does not make sense make a copy of programs or configuration files if somebody can access them and extract the passwords that restrict the capabilities to read and write on them.
As mentioned, we have to deploy different controls across our facilities, systems, networks, and apply all possible and available features that they bring us the security that we need. Keep always in mind that we can not introduce a higher risk that we are trying to mitigate and passwords can be cracked…
Thanks again for your time, see you in another one!