What is S7?
S7 is the communication protocol of Siemens SIMATIC S7 PLCs. It is used for data exchange between Siemens PLCs, HMIs, SCADA systems, and programming tools. The S7 protocol is owned by Siemens and is not encrypted or authenticated in its classic form.
S7 is widely used in industrial automation, particularly in manufacturing, process, and infrastructure environments that use Siemens controllers.
π§ How does the S7 protocol work?
- Based on TCP/IP
- S7 operates via TCP port 102 (ISO-on-TCP)
- Traffic takes place between, for example, a SCADA system and a PLC
- Read and write operations
- External systems can read or write memory addresses (data blocks, inputs/outputs)
- Functions such as βStart/Stop PLCβ, upload/download, status monitoring
- No native security (S7-300/400)
- Traffic is not encrypted
- No standard authentication β susceptible to interception and manipulation
Newer systems such as S7-1200/1500 support S7 Comm Plus with encryption and certificates (TLS).
π Application in industrial environments
- Communication between Siemens PLCs and SCADA systems (e.g. WinCC)
- Programming and configuration via Engineering Station (e.g. TIA Portal, STEP 7)
- Interface to Historian or MES
- Diagnostics and remote monitoring via industrial VPN or Remote Access
Common sectors:
- Automotive industry
- Food and beverage industry
- Water management
- Infrastructure (tunnels, bridges)
π S7 variants and security
| S7 type | Characteristic | Security |
|---|---|---|
| S7-300/400 | Classic PLCs, many legacy systems | No encryption, no authentication |
| S7-1200/1500 | Newer generation, TIA Portal integration | S7 Comm Plus with TLS possible |
| S7 Comm Plus | Secured version with certificates (S7-1500) | Encryption, integrity checking |
Secure communication must be configured separately and requires Certificate Management.
π Security aspects
-
S7 is vulnerable to:
-
Unauthorised access
-
Man-in-the-middle attacks
-
Remote code execution (e.g. via unauthenticated write commands)
-
Recommended measures:
-
Use Industrial Firewall with DPI on S7 traffic
-
Segment networks via VLAN or zones and conduits model
-
Disable write access where possible
-
Use only verified engineering stations
-
Monitor traffic with IDS or anomaly detection
Vulnerabilities such as Stuxnet exploited unsecured S7 traffic.
π In summary
S7 is the widely used communication protocol for Siemens PLCs, but in its classic form has little or no built-in security. Newer S7 generations offer more security options, but require deliberate configuration and network protection.