Siemens Stl Cheat Sheet

Applications & Tools Answers for industry. Programming Guideline for S7-1200/S7-1500 STEP 7 (TIA Portal) Background and system descriptiony October 2013. Siemens S7 Statement List (STL) sorted alphabetically Mnemonic Description ) Nesting Closed + Add Integer Constant (16, 32-Bit) +AR1 Add ACC1 to Address Register 1 +AR2 Add ACC1 to Address Register 2 +I +D +R Add ACC1 and ACC2 -I -D -R Subtract ACC1 from ACC2.I.D.R Multiply ACC1 and ACC2 /I /D /R Divide ACC2 by ACC1 = Assign I D R. 332 Figure 265 Variable Declaration Examples Basic numbers are shown in Figure 266. Note the unde rline ‘’ can be ignored, it can be used to break up long numbers, ie. The best source of course is the Siemens pdf manual 'SIMATIC Statement List (STL)for S7-300 and S7-400 Programming' If you have Step 7 installed on your PC, then it can be found in the Simatic/Documentation folder; if not, download it from Siemens' support website.

Advanced Persistent Threat – Stuxnet – A case study…

Introduction

Stuxnet is a secret object linked for two reasons to the topic of this section: however it’s one of the first and main examples about this topic of what today is called cyberweapon, and from the other side it looks like we found the first application, about the conflict, that some country is leading against uranian enreachment Iranian’s program and the possible implications for nuclear proliferation.

Stuxnet was discovered in 17 june 2010 from a Belarus company, VirusBlokAda, which develop antivius softwares. It was the first example of worm intentionally made to attack industrial equipments and softwares (SCADA systems). It’s the most letal worm ever created. A malware (malicious softare) is a software projected to enter, without any authentication and with hostile meanings in a computer. A worm is an auto-reply malware which use a network to make his own copies on other network nodes without external interventions.

Differently of a DoS attack, the stuxnet goal is to destroy target systems. It would be possible for example, open a seawall door, stop the power into a company, cause a train derail, and so forth. So Stuxnet acts selectively on PLC systems, precicely on the programmable logic controller of automated systems, injecting a code for system interaction pourposes and cause malfunctions.

SCADA Systems (Supervisory Control and Data Acquisition)

• Oversight the evolution state of a controlled processes conditions;
• Control the ability of a system to take decisions about the evolution of a controlled process;
• Acquire data with the aim to perform the execution of the supervisory functions observing also the controlled process.

Scada systems are generally used for traffic control (railway, airplanes, autoroute, etc.), critical systems (nuclear central, hydroelectric central, wind farm control, etc.), manufacturing or production systems to perform industrial, environmental tele-measuring, etc.

A micro SCADA system can be, for example, a process for temperature control:

• Components: Master, Temperature, Valve, Led, Attacker, Monitor (System log)
• Master protocol: (PseudoCode)

I report a micro-SCADA example that include both components and a pseudo-code for automating temperature control process.

Siemens Stl Cheat Sheet Template

• Components: Master, Temperature, Valve, Led, Attacker, Monitor (system log)
• Master protocol: (pseudo-code)

From Daniele VottaBlog– Default Network – Attacker

How Stuxnet works

Stuxnet analysis is rapidly concetrated on the level of the worm sophistication that goes to exploit several unknown vulnerabilities of windows servers (called “0-day”).

The infection spread through an infected device (usb pen-drive) inserted in a normal personal computer. Simply opening the window of “windows file explorer” the worm could spread in the operating system and next replicate itself through the network.

The worm is designet to spread through the network and attacks all vulnerable Microsoft windows systems (from NT4 to 7 version) whether the Microsoft security patch MS10-46 (available since 2 august 2010) was not applied in the operating system.

Once executed, Stuxnet hides his infected files into the usb stick using the “userland” rootkit that allow to hide in the filesystem all the file with “.lnk” extension and the file that starts with “~ WTR” and ends with “.tmp”.

But, as specified from symantec analysis, the worm use both network sharing, and MS08-067 vulnerability to spread itself.

Rootkit installation

The worm continues his installation releasing different components on the infected computer, and in specific:

• A “Rootkit kernel” (implemented by the drivers mrxcis.sys and rxnet.sys) that hides the file used for the infection. This second rootkit, known as “TmpHider”, has the same effect caused by the first rootkit “userland”, the first executed by the worm, but it makes permanent modifications. Finally, another rootkit’s characteristic allows processes hiding.
• Two services (MRXCLS e MRXNET), which are not visible in the windows services list.

This part of Stuxnet installation works only if a user insert an usb pen-drive in a computer using administrative privileges.

The rootkit, installed by Stuxnet, is partially furtive because it not hide all file used. Indeed, with “Windows File Explorer” is possible find it searching the following files:

• %SystemRoot%system32driversmrxcls.sys
• %SystemRoot%system32driversmrxnet.sys
• %SystemRoot%infoem6c.pnf
• %SystemRoot%infoem7a.pnf

Network Communication

Once Stuxnet was installed, it attempts to communicate with the following two internet web sites using normal HTTP requests and TCP 80 default HTTP port:

• www . mypremierfutbol . com
• www . todaysfutbol . com

Next then, it sends information about infected hosts (ip address, operating system, active services, etc.) to the previous two internet web sites. As response it can receive commands like:

• read, write, delete of infected host files
• Download and execution of a DLL from internet
• And so forth.

Evidently, when a SCADA system is infected, is unlikely that it is connected to internet. However, it is possible that one of the compromised server has forbidden outgoing traffic towards public networks. This circumstance most likely would allow the dialogs between the infected machines and the internet servers.

Below a graphical representation about worm steps and spread.

Stuxnet has different variants and/or alias: roj/Stuxnet-A, W32/Stuxnet-B, W32. Temphid, WORM_STUXNET.A, Win32/Stuxnet.B, Trojan-Dropper:W32/Stuxnet, W32/Stuxnet.A, Rootkit.Win32.Stuxnet.b, Rootkit.Win32.Stuxnet.a.exet.

Today, there are several countermeasures and tools to remove the malwareand its variants. Among these, below it’s reported the main tools:

• Symantec – W32.Stuxnet – Removal
• Hotforsecurity – Stuxnet Removal Tool
• BitDefender® – Stuxnet Removal Tool
• Microsoft Security Essentials
• Windows Defender
• Microsoft Windows Malicious Software Removal Tool

Siemens Stl Cheat Sheet

and the most effective techniques…

• Security Information and Event Management Systems (SIEM)
• Intrusion Monitoring Systems integrated with a SIEM system
• Implementation of a “Extrusion Detection” system
• Passive Vulnerability Scanner (PVS) into the network control system

APT – Iranian Case – Theory and relationships

Beyond the sophisticated level of worm complexity, Stuxnet has really been studied to target only Siemens SCADA systems designed to control special industrial processes.

The Symantec who examined the case told to the BBC, the 15^th February 2011, that several variants of Stuxnet attacked between June 2009 and April 2010 five Iranian facilities with the likely goal of hitting the infrastructure for uranium enrichment that use Siemens equipment procured clandestinely. The analysis also suggests that the worm’s producers must have “infiltrated” the organizations to strike because it is obviously of a plant not connected to the Internet for security reasons. Therefore the infection took place from the inside.

Moreover, with regard to malfunctions of uranium enrichment centrifuge occurred in the nuclear plant of Natanz in Iran, it was found that the worm has two intelligent components: the first is designed to rotate the centrifuge in an uncontrolled manner; the second records secretly normal operations and then re-run them for the operator of the plant so that everything appears normal while the centrifuges destroy themselves.

Stuxnet attack have had, in addition, very special characteristics discussed in an article published 17 January 2011 on the front page of the International Herald Tribune.

For two years now, the Dimona’s laboratories in Israel seem to have become the basis of a joint project American-Israeli intended to sabotage Iran’s nuclear program. In particular, they would host several centrifuges at Natanz in Iran, such as those mounted in order to test the action of Stuxnet, and it is estimated that the reason is the effectiveness of sabotage in these preliminary checks.

Everything suggests that the worm was indeed produced by the US and Israel to sabotage the Iranian program. Downstream of this evidence, to date, the author still has not been officially identified.

In early 2008, Siemens has partnered with Idaho National Laboratory (section of the Energy Department in charge of US nuclear weapons) to identify vulnerabilities in the Process Control System 7, that is, the control computer that Siemens sells together with its industrial machinery.

These latter were identified by US intelligence as its essential parts of the Iranian program.

Siemens states that collaboration is part of a regulare work to make sure their products against cyber attacks, but this experience seems to have given to the American laboratories the possibility to identify well-hidden PCL-7 flaws exploited by Stuxnet the year after.

The most secret part of the project is about worm’s testing, directly on the enrichment machines, making sure that it would produce the desired effect.

The Iranians use centrifuges P1 coming from pakistan, and the Israelis were able to procure a substantial number of them.

The knowledge of the way to use them was critical for Stuxnet project. However, the US and Israel deny definitely that they had influenced the Stuxnet production.

In order to realize a so complex attack, some industry’s researcher have listed a variety of activities that allowed the worm to be effective against the target objectives.

Statement List Programming

• Programming of PLC controllers (MC7 & STL)
• knowledge of the processes
• knowledge of the target (intrusion)
• Holding of internal programming suite (Step7 & WinCC)
• Holding of files: S7P/TMP/MCP
• Holding of internal API: Step7
• Develop of a Windows Kernel/Rootkit
• Develop of exploit /shellcode
• Antivirus/Security software subversion
• Persistent components, dropper, C&C

A Stuxnet’s report of Institute for Science and International (Washington) says that since the second half of 2009 in Natanza has been blocked 984 centrifuges.

Below a graphical representation about the worm spread:

Finally by the 2013 Clusit Report we can see that, between the greater growth of attacks, APT represents a reality with a strong exponentially increasing.

Reference:

Official Analysis:

• Symantec Stuxnet Dossier
• Langer Communications blog
• DHS ICS-CERT
• ISIS Report

CNC G codes

Siemens S7 300 Programming Manual

G00 - Positioning at rapid speed; Mill and Lathe
G01 - Linear interpolation (machining a straight line); Mill and Lathe
G02 - Circular interpolation clockwise (machining arcs); Mill and Lathe
G03 - Circular interpolation, counter clockwise; Mill and Lathe
G04 - Mill and Lathe, Dwell
G09 - Mill and Lathe, Exact stop
G10 - Setting offsets in the program; Mill and Lathe
G12 - Circular pocket milling, clockwise; Mill
G13 - Circular pocket milling, counterclockwise; Mill
G17 - X-Y plane for arc machining; Mill and Lathe with live tooling
G18 - Z-X plane for arc machining; Mill and Lathe with live tooling
G19 - Z-Y plane for arc machining; Mill and Lathe with live tooling
G20 - Inch units; Mill and Lathe
G21 - Metric units; Mill and Lathe
G27 - Reference return check; Mill and Lathe
G28 - Automatic return through reference point; Mill and Lathe
G29 - Move to location through reference point; Mill and Lathe (slightly different for each machine)
G31 - Skip function; Mill and Lathe
G32 - Thread cutting; Lathe
G33 - Thread cutting; Mill
G40 - Cancel diameter offset; Mill. Cancel tool nose offset; Lathe
G41 - Cutter compensation left; Mill. Tool nose radius compensation left; Lathe
G42 - Cutter compensation right; Mill. Tool nose radius compensation right; Lathe
G43 - Tool length compensation; Mill
G44 - Tool length compensation cancel; Mill (sometimes G49)
G50 - Set coordinate system and maximum RPM; Lathe
G52 - Local coordinate system setting; Mill and Lathe
G53 - Machine coordinate system setting; Mill and Lathe
G54~G59 - Workpiece coordinate system settings #1 t0 #6; Mill and Lathe
G61 - Exact stop check; Mill and Lathe
G65 - Custom macro call; Mill and Lathe
G70 - Finish cycle; Lathe
G71 - Rough turning cycle; Lathe
G72 - Rough facing cycle; Lathe
G73 - Irregular rough turning cycle; Lathe
G73 - Chip break drilling cycle; Mill
G74 - Left hand tapping; Mill
G74 - Face grooving or chip break drilling; Lathe
G75 - OD groove pecking; Lathe
G76 - Fine boring cycle; Mill
G76 - Threading cycle; Lathe
G80 - Cancel cycles; Mill and Lathe
G81 - Drill cycle; Mill and Lathe
G82 - Drill cycle with dwell; Mill
G83 - Peck drilling cycle; Mill
G84 - Tapping cycle; Mill and Lathe
G85 - Bore in, bore out; Mill and Lathe
G86 - Bore in, rapid out; Mill and Lathe
G87 - Back boring cycle; Mill
G90 - Absolute programming
G91 - Incremental programming
G92 - Reposition origin point; Mill
G92 - Thread cutting cycle; Lathe
G94 - Per minute feed; Mill
G95 - Per revolution feed; Mill
G96 - Constant surface speed control; Lathe
G97 - Constant surface speed cancel
G98 - Per minute feed; Lathe
G99 - Per revolution feed; Lathe

CNC M Codes

Siemens Stl Cheat Sheet Pdf

M00 - Program stop; Mill and Lathe
M01 - Optional program stop; Lathe and Mill
M02 - Program end; Lathe and Mill
M03 - Spindle on clockwise; Lathe and Mill
M04 - Spindle on counterclockwise; Lathe and Mill
M05 - Spindle off; Lathe and Mill
M06 - Toolchange; Mill
M08 - Coolant on; Lathe and Mill
M09 - Coolant off; Lathe and Mill
M10 - Chuck or rotary table clamp; Lathe and Mill
M11 - Chuck or rotary table clamp off; Lathe and Mill
M19 - Orient spindle; Lathe and Mill
M30 - Program end, return to start; Lathe and Mill
M97 - Local sub-routine call; Lathe and Mill
M98 - Sub-program call; Lathe and Mill
M99 - End of sub program; Lathe and Mill