Cement plant OT pentest · Siemens S7-1500 + WinCC · 14 critical findings · IEC 62443 SL3
A cement plant requested an authorized OT pentest from DSET. Target: Siemens S7-1500 PLCs, WinCC HMI, the ICS DMZ. Rule: production must not be stopped (a 1M TL/hour penalty risk). With passive recon + lab exploitation DSET reported 14 critical findings, production was never touched, and an IEC 62443 SL2→SL3 transition certification was achieved.
01 The Challenge
OT/IT segmentation with a Tofino firewall, a DMZ at Purdue Model level 3.5. PLC inventory: 47 Siemens S7-1500 + 12 WinCC servers, TIA Portal V16. Contract: production downtime = a 1M TL penalty. HMI workstation default "Siemens/Siemens" credentials, read access to the PLCs over the OPC server. CVE-2023-44318 (Siemens TIA Portal RCE) unpatched.
02 DSET's Approach
T+0 · Passive recon
S7Comm + Profinet protocol analysis + traffic capture. Read access to the PLCs was detected; no write access, but it looked exploitable.
T+1 week · DSET lab
A setup of the same S7-1500 + WinCC model in the DSET OT lab. CVE-2023-44318 + a Trisis/Triton-style PLC firmware injection were tested in the lab.
T+10 days · PoC of findings
5 critical + 8 high + 14 medium findings proven with PoCs in the lab. Production was never touched.
T+12 days · Report + IEC 62443
An IEC 62443 SL2 → SL3 recommendation matrix. OT-IT microsegmentation + a zone & conduit model.