100
SCADACS Internet-facing PLCs - A New Back Orifice Johannes Klick, Stephan Lau, Daniel Marzin, Jan-Ole Malchow, Prof. Volker Roth AG Sichere Identit¨ at Fachbereich Mathematik und Informatik Freie Universit¨ at Berlin www.scadacs.org

Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Embed Size (px)

Citation preview

Page 1: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Internet-facing PLCs - A New Back Orifice

Johannes Klick, Stephan Lau, Daniel Marzin, Jan-OleMalchow, Prof. Volker Roth

AG Sichere Identitat

Fachbereich Mathematik und Informatik

Freie Universitat Berlin www.scadacs.org

Page 2: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Opening

Page 3: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Talk Bytes

◮ Understand the workflow of a PLC.

◮ Basic PLC programming knowlegde

◮ Download / Upload PLC code

◮ Inject own code with PLCinject

◮ Compromise a production network via one internet facingPLC

◮ PLC SNMP Scanner in STL

◮ PLC SOCKS Proxy in STL

Page 4: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Volker Roth Jan-Ole Malchow Johannes KlickDaniel Marzin Sascha Zinke Mateusz KhalilStephan Lau Stephan Arndt Mathias SekulMarvin Jacob Bode Marvin2

https://www.scadacs.org

Page 5: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

PLC availability and

vulnerability

Page 6: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

ICS Distribution - Europe

Page 7: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Vulnerable ICS distribution - Europe

Page 8: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

ICS distribution - USA

Page 9: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Statistics

Categorys Devices CVEs/Exploits

BMS 31.411 9%PLCND 23.873 14%PDU 10.381 0%PLC 7.254 26%SCADA 2.254 28%HMI 1.741 41%ERP 1.400 0%TM 788 0%UPS 167 0%

Page 10: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Internet-facing PLCs

◮ What is behind an Internet facing PLC?

◮ Are there more indirect internet facing PLCs?

◮ May be a whole production network?

Page 11: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Traditional attack vectors of

PLCs

Page 12: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Traditional attack vectors of PLCs

Stuxnet

◮ Compromising an off-line site through the suply chain

◮ Compromised Siemens IDE downloaded malicous code tothe PLC.

German steelwork

◮ Compromising an on-line site through the business IT

◮ Manipulation of the steel works control system damagedthe furnace

Page 13: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

What we are talking about?

Page 14: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Introduction to Siemens PLCs

Page 15: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Introduction to Siemens PLCs

1. Architecture and execution model

2. Program structure and organization

3. Cyclic execution model, I/O

4. STL programs and their MC7 representation

Page 16: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Program structure

Introduction to Siemens PLCsProgram structure andorganization

◮ Organization Block (OB)

◮ Data Block (DB)

◮ Function Call (FC)

◮ Function Blocks (FB)

◮ System Function (SFC)

◮ System Data Block (SDB)

◮ System Function Block (SFB)

Page 17: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Introduction to Siemens PLCsCyclic execution model, I/O

Cycle

tim

e

Time slices (1 ms each)

Time slice (1 ms)

2

3

4

5

Page 18: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Programming Siemens PLC in STL

Mathematical term:

◮ Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Statement List (STL):

Page 19: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationDescription Bytes Offset

Block signature 2 0Block version 1 2Block attribute 1 3Block language 1 4Block type 1 5Block number 2 6Block length 4 8Block password 4 12Block last modified date 6 16Block interface last modified date 6 22Block interface length 2 28Block Segment table length 2 30Block local data length 2 32Block data length 2 34Data (MC 7 / DB) x 36Block signature 1 36+x

Page 20: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representation

OB 1 with

A %I0.0

A %I0.1

O %I0.2

= %Q0.0

is compiled to

00: 7070 0101 0108 0001 0000 0074 0000 0000 pp.........t....

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006 ..’5-...c.!.....

20: 0014 000a c000 c100 ca00 d880 6500 0100 ............e...

30: 0014 0000 0002 0502 0502 0502 0502 0502 ................

40: 0505 0505 0505 050e 0520 0100 0800 0000 ......... ......

50: 0000 0000 0000 0000 0000 0000 0000 0000 ................

60: 0000 0000 0000 0000 0100 a691 0000 0000 ................

70: 0000 0000 ....

Page 21: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationSignature

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 22: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationVersion

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 23: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationAttribute

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 24: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationLanguage

STL 01, LAD 02, FBD 03, SCL 04, DB 05, GRAPH 06,SDB 07

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 25: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationType

OB 08, DB 0A, SDB 0B, FC 0C, SFC 0D, FB 0E, SFB 0F

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 26: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationNumber

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 27: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationLength

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 28: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationPassword

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 29: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationLast modified date

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 30: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationLast modified date

44771125 milliseconds and 11523 days since 1/1/84=⇒ 7/20/15 12:26:11.125 pm

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 31: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationInterface last modified date

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 32: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationInterface length

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 33: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationSegment table length

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 34: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationLocal data length

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 35: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationData/Code length

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 36: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationOpcodes

A %I0.0

A %I0.1

O %I0.2

= %Q0.0

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 37: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationOpcodes

A %I0.0

A %I0.1

O %I0.2

= %Q0.0

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 38: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationOpcodes

A %I0.0

A %I0.1

O %I0.2

= %Q0.0

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 39: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationOpcodes

A %I0.0

A %I0.1

O %I0.2

= %Q0.0

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 40: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

STL programs and their MC7 representationOpcodes

A %I0.0

A %I0.1

O %I0.2

= %Q0.0

BE

00: 7070 0101 0108 0001 0000 0074 0000 0000

10: 02ab 2735 2d03 03a1 6383 21a7 001c 0006

20: 0014 000a c000 c100 ca00 d880 6500 0100

30: 0014 0000 0002 0502 0502 0502 0502 0502

40: 0505 0505 0505 050e 0520 0100 0800 0000

50: 0000 0000 0000 0000 0000 0000 0000 0000

60: 0000 0000 0000 0000 0100 a691 0000 0000

70: 0000 0000

Page 41: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

S7comm

Page 42: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

S7commS7comm Protocol Structure

Page 43: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

S7commDownload Procedure

Page 44: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

S7commprotocol details

Wireshark can dissect S7comm with the dissector available at

http://sourceforge.net/projects/s7commwireshark/

http://sourceforge.net/projects/s7commwireshark/
http://sourceforge.net/projects/s7commwireshark/
Page 45: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

S7commCommunication setup

Page 46: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

S7commCommunication setup

Page 47: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

S7commCommunication setup

Page 48: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

S7commList all blocks

Page 49: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

S7commList all blocks

Page 50: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

S7commList all OBs

Page 51: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

S7commList all OBs

Page 52: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

S7commDownload OB 1 to PLC

Page 53: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

S7commDownload OB 1 to PLC

Page 54: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

S7commDownload OB 1 to PLC

Page 55: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

S7commDownload OB 1 to PLC

Page 56: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

S7commInsert OB 1 into filesystem

Page 57: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

S7commInsert OB 1 into filesystem

Page 58: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Attack Overview

Page 59: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Attack OverviewInstrumenting live PLC programs with own malware

◮ Upload original PLC code to your machine

◮ Prepend your own code to the original code (also used byStuxnet)

◮ Download the modified code to the PLC again

◮ Next cycle executes new code, without service disruption

Page 60: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Attack OverviewPLC Code Injection

◮ Example PLC code which calls FB 1

Page 61: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Attack OverviewPLC Code Injection

◮ OB1 with prepended malicous function call to FC 666

Page 62: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Attack

Page 63: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SCADACS

Attack

1. Instrumenting live PLC programs with scanning malware

2. SNMP scanning

3. Collecting the scan results

4. Instrumenting live PLC programs with proxy malware

5. Connecting to PLCs through the proxy malware

Page 64: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Attack IOverview

PLC 1 is connected to the Internet

Page 65: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Attack IIOverview

Attacker downloads the main program block. . .

Page 66: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Attack IIIOverview

. . . patches it and uploads a SMNP scanner

Page 67: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Attack IVOverview

The local network is scanned

Page 68: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Attack VOverview

Attacker downloads the scanning results

Page 69: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Attack VIOverview

A SOCKS proxy enables him to reach the net behind the PLC

Page 70: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Attack ISNMP Scanner - Details

◮ Get the PLC’s IP

Page 71: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Attack IISNMP Scanner - Details

◮ Calculate the subnet mask

Page 72: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Attack IIISNMP Scanner - Details

◮ Configure UDP connection

Page 73: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Attack IVSNMP Scanner - Details

◮ Send UDP packets (SNMP get request)

Page 74: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SOCKS5 Proxy - Details

Page 75: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SOCKS5 Proxy - Details I

◮ SOCKS5 protocol (RFC 1928)

◮ without authentication or encryption

Page 76: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SOCKS5 Proxy - Details II

Jump list for state machine

Page 77: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SOCKS5 Proxy - Details III

Bind and listen for incoming connections

Page 78: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SOCKS5 Proxy - Details IV

Receive clients authentication negotiation

Page 79: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SOCKS5 Proxy - Details V

Reply with no authentication

Page 80: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SOCKS5 Proxy - Details VI

Receive clients connect request. . .

Page 81: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SOCKS5 Proxy - Details VII

. . . and store IP and port

Page 82: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SOCKS5 Proxy - Details VIII

Connect to destination host. . .

Page 83: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SOCKS5 Proxy - Details IX

. . . and prepare a confirmation message. . .

Page 84: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SOCKS5 Proxy - Details X

. . . and send it to the client

Page 85: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SOCKS5 Proxy - Details XI

◮ connection to client and destination host are established

◮ now we can proxy

◮ send client’s messages to destination and vice versa

◮ an error while receiving means one partner disconnected

◮ send remaining data then disconnect and wait for nextclient

Page 86: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

SOCKS5 Proxy - Details XII

◮ The SOCKS implementation on the PLC is able totransfer up to 730 KB/s if it is running alone.

◮ In combination with a memory intensive benchmark PLCprogramm the proxy was able to transfer up to 40KB/s.

Page 87: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Attack VideoSOCKS5 Proxy - Details

Connecting to PLCs through the proxy malware

...Video Presentation...

Page 88: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Evaluation

Page 89: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

EvaluationQuestions

◮ Can such attack detected by timing?

◮ Can the attack exceed the default cycle time of 150ms?

Page 90: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Measurements I

How to measure

◮ Pull data from OB1 PREV CYCLE variable

◮ Store the result in a DB

◮ Upload DB from PLC

◮ Compare values for the baseline programm and theSOCKS Proxy (idle / under load)

Page 91: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Measurements II

Page 92: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Measurements III

Baseline Proxy idle Proxy under loadMean 85.32 85.40 86.67Std. Deviation 0.4927 0.5003 0.5239Std. Error 0.01089 0.01106 0.01158

Result:

◮ There exists a significant but not relevant timingdifference between the baseline program and its malicousSOCKS proxy version regarding the default cycle time of150 ms.

Page 93: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

PLCinject

Page 94: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

PLCinjectRelease

◮ How to use PLC Inject

◮ example

Page 95: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

PLCinjectLive Demo

PLCinject with example Payload (running light) and a PLC

Page 96: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Mitigation strategies

Page 97: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Mitigation strategies

1. Enabling protection-level 3

2. Network-level access control

3. If all else fails, means to woo deities to lend disasterprotection

Page 98: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Summary

Page 99: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Summary

◮ An internet facing PLC can be used as a gateway withoutservice disruption

◮ This enables an attacker to reach indirect Internetconnected PLCs too

◮ Taking these indirect connected systems into account, theattack surface regarding ICS could be much bigger thanexpected

Page 100: Internet-facing PLCs - A New Back Orificesecwiki.neu.edu.cn/wiki/images/6/6d/Us-15-Klick-Internet...Programming Siemens PLC in STL Mathematical term: Q0.0 = (I0.0 ∧ I0.1) ∨ I0.2

Q&A


LOGIC SENSOR PROOUT Gate Driver Providing Galvanic …DISFIL 4 10 20 µs DIS Input Delay Time t DDIS 4 10 20 µs Output OUT1 ON-Resistance (Source-side) R ONH I0.2 0.55 1.3 Ω OUT

LOGIC SENSOR PROOUT Gate Driver Providing Galvanic …DISFIL 4 10 20 µs DIS Input Delay Time t DDIS 4 10 20 µs Output OUT1 ON-Resistance (Source-side) R ONH I0.2 0.55 1.3 Ω OUT

Documents
S7 300 PLC OB1 PLC PLC PLCSIM - dl.poweren.irdl.poweren.ir/downloads/PowerEn/Book/2019/Mar/جزوه آموزش PLC S7-300 (PowerEn... · I0.0, I0.1, I0.2 Q0.0 PLCSIM LAD/STL/FBD PLC

S7 300 PLC OB1 PLC PLC PLCSIM - dl.poweren.irdl.poweren.ir/downloads/PowerEn/Book/2019/Mar/جزوه آموزش PLC S7-300 (PowerEn... · I0.0, I0.1, I0.2 Q0.0 PLCSIM LAD/STL/FBD PLC

Documents
I np ut/Output I nterface Circuits and LSI Peripheral Devices 10 textbook.pdfavailable at output lines 03 through O15 of port 1. EXAMPLE I0.2 Write a series of inskuctions that will

I np ut/Output I nterface Circuits and LSI Peripheral Devices 10 textbook.pdfavailable at output lines 03 through O15 of port 1. EXAMPLE I0.2 Write a series of inskuctions that will

Documents
old.scemi.comold.scemi.com/jxky/JPKC/DZDQX/GYKZ/GYKZ/swf/sysxzd…  · Web viewPLC地址 WinCC地址 符号表 数据类型 变量名 I0.0 M0.0 Start BOOL 启动开关 I0.1 M0.1

old.scemi.comold.scemi.com/jxky/JPKC/DZDQX/GYKZ/GYKZ/swf/sysxzd…  · Web viewPLC地址 WinCC地址 符号表 数据类型 变量名 I0.0 M0.0 Start BOOL 启动开关 I0.1 M0.1

Documents
EXPERIMENT N0. 2 Introduction to PLC and Ladder Logic · PDF fileEXPERIMENT N0.4 Introduction to PLC and Ladder Logic ... v Draw a ladder diagram for turning the output Q0.0 ON when

EXPERIMENT N0. 2 Introduction to PLC and Ladder Logic · PDF fileEXPERIMENT N0.4 Introduction to PLC and Ladder Logic ... v Draw a ladder diagram for turning the output Q0.0 ON when

Documents
Kinco-K2SeriesPLC 1 Productintroduction - spstiger · 2018-01-04 · Q0.0 and Q 0.1 support up to 50 KHz. ( The resistor of load should be less than 1.5 KΩ), Q0.4 supports up to

Kinco-K2SeriesPLC 1 Productintroduction - spstiger · 2018-01-04 · Q0.0 and Q 0.1 support up to 50 KHz. ( The resistor of load should be less than 1.5 KΩ), Q0.4 supports up to

Documents
35013228 K01 000 01 - · PDF filezLas operaciones numéricas están incluidas en el ... Ejemplo de escalón 2 %I0.1 %I0.3 ... continuidad al área de actividad donde se

35013228 K01 000 01 - · PDF filezLas operaciones numéricas están incluidas en el ... Ejemplo de escalón 2 %I0.1 %I0.3 ... continuidad al área de actividad donde se

Documents
Nombre del proyecto: ESTACION TOMA DE DATOS VIALESrepository.udistrital.edu.co/bitstream/11349/22508/2/Anexo-1 Sistem… · %FC0 %I0.2 NotUsed 0 %FC1 %I0.3 NotUsed 0 %FC2 %I0.4 NotUsed

Nombre del proyecto: ESTACION TOMA DE DATOS VIALESrepository.udistrital.edu.co/bitstream/11349/22508/2/Anexo-1 Sistem… · %FC0 %I0.2 NotUsed 0 %FC1 %I0.3 NotUsed 0 %FC2 %I0.4 NotUsed

Documents
Simatic S5 to Simatic S7 Migration - Siemensf... · 2020-06-13 · i0.0~q127.7 q0.0~q127.7 py0~ pw128~254 f0.0~f255.7 s0.0~s8191.7 py0 fy0 sy0 データ d0.0 dl0 dr0 dw0

Simatic S5 to Simatic S7 Migration - Siemensf... · 2020-06-13 · i0.0~q127.7 q0.0~q127.7 py0~ pw128~254 f0.0~f255.7 s0.0~s8191.7 py0 fy0 sy0 データ d0.0 dl0 dr0 dw0

Documents
Elemento de Processamento de Sinais - PLCgerson.luqueta.com.br/index_arquivos/CLPbasico.pdf · PC –CLP (MPI) I0.0 I0.1 Byte 0 Byte 4 ... 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 7 6 5 4

Elemento de Processamento de Sinais - PLCgerson.luqueta.com.br/index_arquivos/CLPbasico.pdf · PC –CLP (MPI) I0.0 I0.1 Byte 0 Byte 4 ... 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 7 6 5 4

Documents
Resultado de los ejercicios del 0 al 5SSP Juan Fra Deseamos realizar un circuito de un paro marcha prioridad paro que activan dos salidas KA0 y KA1 a la vez (Q0.0 Y Q0.1) dispone de

Resultado de los ejercicios del 0 al 5SSP Juan Fra Deseamos realizar un circuito de un paro marcha prioridad paro que activan dos salidas KA0 y KA1 a la vez (Q0.0 Y Q0.1) dispone de

Documents
Die Systemfamilie SIMATIC S7ftp.gongkong.com › UploadFile › datum › 2008-12 › 2008121614281900001.pdf3 simatic® 控制器 siemens simatic sf run stop q0.0 q0.1 q0.2 q0.3 q0.4

Die Systemfamilie SIMATIC S7ftp.gongkong.com › UploadFile › datum › 2008-12 › 2008121614281900001.pdf3 simatic® 控制器 siemens simatic sf run stop q0.0 q0.1 q0.2 q0.3 q0.4

Documents
Title 社会資本と資本蓄積 - 資本蓄積の現代的特徴を …...2) Robert R. Doane, The Anato叫 I0.1 American lVl四 lth,pp. 260-261; Subcommittee on Economic Statistics

Title 社会資本と資本蓄積 - 資本蓄積の現代的特徴を …...2) Robert R. Doane, The Anato叫 I0.1 American lVl四 lth,pp. 260-261; Subcommittee on Economic Statistics

Documents
Manual do Keyprogram - keylogix.com.br · em 0 transfere 1 para o endereço, caso contrário transfere 0. No exemplo acima a saída (%Q0.0) será acionada somente quando a entrada

Manual do Keyprogram - keylogix.com.br · em 0 transfere 1 para o endereço, caso contrário transfere 0. No exemplo acima a saída (%Q0.0) será acionada somente quando a entrada

Documents