OT-S7-SIEMENSImpact

Siemens S7 Protocol Abuse

S7-300/400/1200/1500 PLCs respond to S7comm — read/write data blocks, stop/start CPU, transfer logic without auth (legacy) or with default password.

§ Where this technique fits

OT-S7-SIEMENS is catalogued under the Impact tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

TRITON-class SIS reprogram → disable safety shutdown
After OT-network foothold, reach a Triconex Safety Instrumented System. Download attacker logic that suppresses safety trips on a process that's about to be pushed past its safe envelope.
step 4 / 5
Engineering workstation → push payload to PLC
Compromise the OT engineer's laptop (corporate-network adjacent, jumphost-reachable). Use legit engineering tools (TIA Portal / Studio 5000) to download attacker ladder logic to the PLC.
step 4 / 6

§ What commonly comes next

01
Data Encrypted for Impact
T1486 · Impact
seen 1×
02
Modbus TCP Write to PLC
OT-MODBUS-WRITE · Impact
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

TRITON-class SIS reprogram → disable safety shutdown

Engineering workstation → push payload to PLC

§ What commonly comes next