Part 1: The Invisible Enemy
Programmable Logic Controllers (PLCs) are an essential part of industrial manufacturing plants. They are widely used in industrial control systems (ICS) to automate processes in critical infrastructure sectors such as energy, water, and transportation.
In addition to their day-to-day operational activity, these connected devices generate and exchange vast amounts of security-critical information. For this reason, they have become key targets for a growing number of cyber security attacks.
PLCs , being legacy, old-school, devices, are not designed to deal with security risks, such as protecting against malicious network payloads. PLCs were originally designed as closed-loop control systems that did not require extensive security measures because they were physically isolated from the outside world. As a result, most of the older PLCs do not have built-in security features or security protocols, which makes them vulnerable to cyber-attacks.
Additionally, lack effective authentication between PLCs and remote repositories or engineering workstations. The firmware of PLCs is susceptible to changes through unsecured remote repositories. This potentially allows malicious code into the PLCs' code base, rendering them vulnerable.
In addition, many older PLCs have proprietary operating systems, which means they are not regularly updated with security patches and fixes like mainstream operating systems. This makes them more susceptible to malware and other security threats.
Overall, due to their age and design, PLCs are not well-equipped to deal with the complex and sophisticated security threats that are common in today's digital landscape. However, newer PLCs are starting to incorporate more robust security features to help protect against cyber-attacks.
Moreover, as cyber-attacks become increasingly popular, a wider attack interface is introduced for connected PLCs, expanding public Internet interfaces. This makes on-going threats hard to detect, since even a slight change to the configuration files of vulnerable PLC systems can produce serious faulty results.
Attacks Targeting PLCs
One of the most well-known PLC attacks is Stuxnet, which was discovered in 2010. The malware was specifically designed to target SCADA systems and is believed to be responsible for causing substantial damage to Iran’s nuclear program.
Stuxnet specifically targeted PLCs, which allow the automation of electromechanical processes such as those used to control machinery and industrial processes including gas centrifuges for separating nuclear material. Stuxnet targeted machines which used Microsoft Windows operating systems and networks, then sought out Siemens SIMATIC Step7 software, utilizing 4 zero-day vulnerabilities in the process. According to reports, Stuxnet infiltrated Iranian PLCs, gathered data from industrial systems, and caused the fast-spinning centrifuges to self-destruct.
The infected rootkit was introduced by Stuxnet onto the PLC and Step7 software, modifying the code and giving unexpected commands to the PLC while returning a loop of normal operation system values back to the users.
Stuxnet was a precision weapon that searched for specific software to install on and certain equipment to be connected to a system. If these were not found, it self-destructed. If it did locate the exact configuration it was seeking, it altered and sabotaged Siemens PLC code by directly introducing ladder logic code into them.
While it is not the first time that hackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a PLC rootkit. The sophistication of the attack demonstrated that PLCs were vulnerable to advanced cyber threats.
LogicLocker is another widely known attack on programmable logic controllers (PLCs) that operates as a cross-vendor ransomware worm. This malware can take control of multiple PLCs from major manufacturers and has the capability to plant a logic bomb within the system and can also bypass weak authentication mechanisms and lock out authorized users.
Depending on the PLC's functionalities, the worm can propagate from the PLC to the corporate network through lateral movement after the initial infection. Once inside the network, the threat actor may prevent restoration efforts by locking out legitimate users using various tactics such as password changes, OEM Locking, excessive PLC resource usage, or altering IP/Ports.
Using a water treatment plant model, researchers demonstrated the ability to manipulate the system by displaying false readings, shutting valves, and modifying Chlorine release to poisonous levels. This was accomplished using Schneider Modicon M241, Schneider Modicon M221, and Allen Bradley MicroLogix 1400 PLCs.
Other Threats to PLCs
Hacking the PLC Configuration
A PLC application usually has its own separate memory space. It may store local strings and variables on default memory locations, as well as configurations in a human readable text format at these default locations.
Threat actors could potentially target these configuration files once they are logged on to the PLC by introducing malicious logic in the Ladder logic, which by default, gives users root access. They could then change these configurations, affecting the normal workflow of the PLC. It may also produce unwanted or unpredictable results.
Hacking the PLC Operating System
Many PLCs run a Linux distribution, which may contain many vulnerabilities. Because Linux code is not type safe, it is vulnerable to various buffer overflow attacks.
Many Linux-based systems have their SSH port opened for debugging. This could allow threat actors to take control of the PLC remotely.
PLCs can be easily exposed to malicious communication channels. Within the network of PLCs, an infected PLC will scan the network and look for new targets. These new targets will be infected by the already-infected source PLC.
Modifying the User Space Programs
Threat actors could change the PLC programs once they are logged on to the PLC, which by default may give users access to modify the program and install garbage programs.
Anyone with access to the PLC could monitor data traffic patterns through output/input pins and easily predict the data processed on it. This passive attack could hurt confidentiality of data of PLCs.
Return Oriented Programming Attack
Threat actors might target the logic of PLCs. This could steer the operation of devices away from normal execution paths. It could also lead to damaged equipment or facilities, or cause process malfunction and disabled controls over a process.
The increased risk of access of malicious users to SCADA components, increases the risk to the PLC code itself. Attacks against the PLC components are easy to carry out by a sophisticated attacker. For example, just by looking at the ladder logic code, it is possible to determine the most likely points of entry into the PLC CPU from an outside source.
Once access to the network is achieved, the entire PLC network is open for attack. Sophisticated attackers, with working knowledge of the system and ladder logic, may be able to access the PLC system directly.
Three main factors contribute to the likelihood of PLC attacks:
- The lack of understanding of all of the exposed entry points into the automation system.
- The lack of sufficient training by current PLC code developers. This creates a culture of trial and error programming, which is due to a lack of best practices standards.
- The lack of tools which can be implemented and used to test current and future code, both after and during development.
The SCADAfence platform identifies the assets in the network, including PLCs, and finds the relevant vulnerabilities on each asset, assisting in finding exposed entry points in the system and security flaws which render the network vulnerable to PLC attacks.
The SCADAfence platform monitors network traffic, and detects network communications to and from PLCs in the network, including new or unauthorized connections, or connections to external networks, which expose the asset to attacks. This includes detection of attempts to modify the PLC configuration or code, and detection of attempts to disrupt or alert the PLC activity, all steps an attacker may take in an attack targeting PLCs. The platform also detects changes made to the PLC configuration or the PLC firmware.
The platform also detects activity that might potentially be related to ICS malware activity, such as Black Energy and Industroyer.
For additional information or to see the SCADAfence Platform in action, request a demo today.