Part 2: Decoding the Complexity of PLCs

In part one of this series we explained how Programmable Logic Controllers (PLCs) have become key targets for cyber security attacks due to their legacy design, lack of built-in security features, and susceptibility to malware, and how newer PLCs are starting to incorporate more robust security features to help protect against these threats.

Before we can understand how PLCs can be targeted in attacks, we need to understand what they are, how they work and what can be targeted.

What is a PLC?

A PLC is a powerful computer that can be used to control a machine, small automation process, or an entire production line. Its main purpose is to control and automate industrial processes.

A PLC receives data from sensors and other input devices, processes it, and creates outputs based on its pre-programmed code logic and other parameters. It is also used for monitoring and recording run-time data, and can also start and stop processes automatically, generate alarms in the event of a machine malfunction, and more.

The logic and behavior of modern controllers can be changed and rewritten by engineers by using specialized software, often called engineering workstation, to write and deploy the code to the PLC.

Engineering workstation software allows engineers to modify the PLC code logic, and perform other tasks such as: diagnose, control and maintain the PLCs, perform health checks on the PLC, view the current state of all its components, apply firmware upgrades and more.

The process of executing logic on the PLC consists of four main steps:

Developing the Logic: The engineer will use the capabilities of the engineering workstation to develop a new PLC program in one of the PLC programming languages available.
Compiling: This new logic is then converted to a machine readable format. To achieve this, the engineering workstation software compiles the program to a PLC-compatible bytecode or machine code, depending on the firmware and the architecture of the target PLC.

Firmware Download: Next, the engineering workstation will communicate with the PLC via its proprietary protocol and transfer the compiled firmware. This process is often referred to as “Download Procedure”, “Download Logic”, or “Download Configuration”. 

Executing the Logic: Finally, the logic will be executed natively on the PLC’s CPU. When applicable, the PLC firmware may use a virtual machine decoder that transforms the intermediate bytecode to multiple native machine code instructions.

A working copy of the PLC logic can be obtained by performing an upload operation to read stored data from the PLC. This data also includes metadata the engineering workstation software requires, rather than just the compiled program the PLC requires to operate. This functionality is often used for maintenance and diagnostics purposes, but can also be considered a backup in case the engineer does not have a copy of running logic.

Programming the PLC
The international standard for PLCs is IEC 61131. This standard was developed by the International Electrotechnical Commission (IEC) and provides a set of guidelines for the design, programming, and testing of PLCs. 

The standard specifies five programming languages for PLCs:

Ladder Logic: A graphical programming language used to program PLCs. It resembles a ladder diagram with two vertical power rails and horizontal rungs connecting them. The rungs represent logic operations, and the rails represent power (on/off).

Sequential Function Chart (SFC): A graphical programming language used to program PLCs and other control systems. It uses a flowchart-like diagram to represent the sequential steps in a process and is used to create complex sequences of operations.

Function Block Diagram (FBD): A graphical programming language used to program PLCs and other control systems. It uses blocks to represent functions, such as logic operations, mathematical calculations, and input/output signals.

Structured Text (ST): A high-level, text-based programming language that uses statements to specify instructions for a PLC or control system. It is similar to the syntax of a conventional programming language like C or Pascal.

Instruction List (IL): A low-level, text-based programming language used in some PLCs. It consists of a list of instructions, each represented by a mnemonic code. IL is used to write programs in a more efficient and compact form compared to other ICS languages. IL is very similar to assembly programming languages.

The standard also outlines requirements for the PLC's hardware, software, and communications interfaces. It also ensures interoperability between different PLCs and systems. Adherence to this standard is important for ensuring the reliability, safety, and functionality of PLC-based control systems.

Targeting PLCs in Attacks

Most attack scenarios that involve a PLC revolve around accessing and exploiting the controller. PLCs are attractive targets for threat actors due to the large number of PLCs in typical industrial networks.

There are a number of ways an attacker could gain access to a PLC. Among them are:

Network Access: An attacker could potentially access a PLC through the network if it is connected to the internet without proper security measures in place.

Remote Access: Some PLCs are designed to allow remote access for maintenance and troubleshooting purposes, usually through an engineering workstation. If these communications are not properly secured, they can be exploited by an attacker.

Supply Chain Attack: An attacker could target the PLC during the manufacturing or distribution process, adding malicious code to the firmware or software before it reaches the end user. The most common of these is accessing the PLC remotely. In order to do this, an attacker would need knowledge of the proprietary protocol that each PLC vendor developed and implemented. Using this protocol, the engineering workstation software can communicate with PLCs and perform various actions, including getting its status, perform SCADA operations, perform firmware upgrades, and perform upload/download procedures to modify or obtain the currently running logic.

From Victim to Predator

A new attack technique, dubbed Evil PLC, weaponizes the PLC and enables code execution upon an engineering connection/upload procedure. This technique uses the PLC as a pivot point to extend the attack and gain deeper access to the OT network.

Through this attack vector, the goal is not the PLC, but the engineering workstation. The engineering workstation is a great source for process-related information and usually has access to multiple PLCs in the network. This could allow an attacker to easily modify the logic on any PLC and perform a download procedure to change the PLC logic with their modifications, ultimately affecting the entire industrial site/plant.

Detecting PLC Attacks

The key to detecting attacks targeting PLCs is understanding the proprietary protocols that each PLC vendor developed and implemented. A deep understanding of the different protocols allows defenders to identify commands sent to the PLC, including identifying the download procedure used to change the PLC logic.

For additional information about how SCADAfence can help keep your OT network secure, or to see the SCADAfence Platform in action, request a demo today.