"Evil PLC Attack" weaponises PLCs to infect engineering workstations

Researchers demonstrate a proof of concept where hijacked programmable logic controllers can compromise engineering workstations to allow lateral movement.

Credit: Dreamstime

Most attack scenarios against industrial installations, whether in manufacturing or in critical infrastructure, focus on compromising programmable logic controllers (PLCs) to tamper with the physical processes they control and automate. 

One way to get malicious code running on PLCs is to first compromise a workstation that engineers use to manage and deploy programs on them, but this can be a two-way street: A hijacked PLC can also be used to compromise engineering workstations, and this opens the door to powerful lateral movement attacks.

In a new paper released over the weekend, researchers from industrial control systems (ICS) cybersecurity firm Claroty documented proof-of-concept “Evil PLC Attacks” against engineering software from seven ICS manufacturers: Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO, and Emerson.

“The attack targets engineers working every day on industrial networks, configuring and troubleshooting PLCs to ensure the safety and reliability of processes across critical industries such as utilities, electricity, water and wastewater, heavy industry, manufacturing, and automotive, among others,” the researchers said.

From malicious bytecode to malicious metadata

A PLC is essentially an embedded computer that controls machinery, a physical process, or a production line. It has its own CPU and runs a real-time operating system (RTOS) with vendor modifications and a bytecode interpreter. 

Engineers monitor and program PLCs from computers connected to them by using specialised engineering software that can be used to write the logic code, compile it to a format the PLC interpreter understands and deploy it.

Along with the compiled bytecode, also known as the ladder logic, the PLCs store a full copy of the developed project, including metadata such as program names and symbols, configuration files for hardware and network, memory mappings, I/O settings, variable declarations, parameters, and the source-code that the engineers developed. 

The PLC technically doesn’t need all this additional information to function, but it is stored there so that any other engineer connecting to the PLC can obtain a full copy of the project running on it so they can debug it or change it.

This means engineering software not only sends data to PLCs but also reads a lot of data back and parses it. Historically parsing data in different formats has been the source of many memory vulnerabilities and this case is no exception. 

In fact, the researchers argue that this proprietary software was not designed under the premise that the PLCs they connect to and their stored data can be fully trusted, so they lack many of the security checks for data parsing that a modern desktop application would have.

That doesn’t mean that finding vulnerabilities is easy since every vendor uses its own proprietary communication protocol to write and read data from their PLCs and the project files are stored using different packaging formats, some of them also proprietary. 

The researchers had to reverse-engineer these protocols and file formats for each of the analysed engineering software so they could understand what and how an attacker could modify it on the PLC to attack the connecting workstation.

This resulted in vulnerabilities being discovered and reported in:

  • TwinSoft, the engineering software used for OVARRO’s TBOX Platform
  • Automation Studio used for B&R’s (ABB) X20 System
  • EcoStruxure Control Expert (Unity Pro) used for Schneider Electric’s Modicon PLCs
  • ToolBoxST used by GE’s MarkVIe platform
  • Connected Components Workbench (CCW) used by Rockwell Automation’s Micro Control Systems PLC
  • PAC Machine Edition used by Emerson’s PACsystems
  • The XD PLC Program Tool used by Xinje’s XDPPro

The flaws ranged from path traversals to heap overflows and unsafe deserialisations, all resulting in arbitrary code execution on the engineering machine.

“For each target/platform we tried to understand the whole download/upload mechanism by reverse engineering the firmware and the engineering workstation software,” the researchers said in their paper. 

“Our goal was to find discrepancies between what the PLC is using and what engineering workstation is using. If we were to find such inconsistencies, we could weaponise the PLC through a malicious download procedure to store a specifically crafted piece of data that won’t affect the PLC, but when parsed by the engineering platform it will trigger and exploit a vulnerability.”

Lateral movement the biggest risk

The most obvious goal of such an attack is lateral movement inside an organisation’s OT (operational technology) network to achieve persistence. Attackers could compromise one engineering workstation that has not been isolated from the organisation’s general IT network or could even use an insider to plant malware on it.

For example, the Stuxnet worm that was used to destroy uranium enrichment centrifuges inside Iran’s Natanz nuclear plant is believed to have been deployed by an insider who worked as a mechanic for a third-party company doing work at the plant. Once deployed on a machine inside, the worm found its way to the PLCs controlling the centrifuges using a chain of zero-day exploits and sophisticated techniques.

Not all attackers might have Windows zero-day exploits available to build stealthy and sophisticated malware like Stuxnet, so they might need another way to spread through the network once they manage to infect a single workstation or poisoning the project files on a PLC is one way to do it.

PLCs can also be compromised remotely because many of them are connected to the internet through various remote management interfaces. According to scans on Shodan there are tens of thousands of SCADA and PLC devices connected to the internet. 

In April 2020, attackers managed to remotely gain access to systems used to control water treatment in Israel. In 2021, a similar attack impacted Oldsmar water treatment facility in Florida.

“Our research suggests that attackers could use the internet-facing PLCs as a pivot point to infiltrate the entire OT network,” the Claroty researchers said. 

“Instead of simply connecting to the exposed PLCs and modifying the logic, attackers could arm these PLCs and deliberately cause a fault that will lure an engineer to them. The engineer, as a method of diagnostics, will perform an upload procedure that will compromise their machine. The attackers now have their foothold on the OT network.”

The lateral movement through an Evil PLC attack can even happen across organisations because many companies rely on third-party system integrators or contractors to manage their PLCs, especially those deployed in remote locations. 

If attackers compromise such a PLC in a less secure location and know that it’s being serviced by a systems integrator or contractor, they could trigger a fault in the PLC to lure the traveling engineer to it and then compromise their computer. That engineer is likely to then connect to the OT networks of other organisations and spread the malicious payload.

On the other hand, the same attack vector could be turned against would-be attackers in a honeypot-like scenario where researchers or organisations could intentionally leave a weaponised PLC exposed to the internet and see if attackers target it. Since attackers have to use the same engineering software to interact with the PLC, their own machines could be exposed.

“This method can be used to detect attacks in the early stage of enumeration and might also deter attackers from targeting internet-facing PLCs since they will need to secure themselves against the target they planned to attack,” the Claroty researchers said.

Mitigating Evil PLC Attacks

All the vulnerabilities found by the Claroty researchers have been reported to the impacted manufacturers, who released patches or mitigation instructions. However, deploying patches inside OT networks can be a slow process. The researchers recommend that organisations deploy client authentication mechanisms where available, so that the PLC verifies the identity of every engineering workstation connecting to it and can accept connections from only specific systems.

Network segmentation and hygiene where different segments of the network that don’t need to talk to each other are isolated is also very important. Enabling traffic encryption and public-key authentication between PLCs and engineering workstations, where available, is also a good practice as well as general network traffic monitoring for suspicious connections.

News Related

OTHER NEWS

Everything You Need to Take Better Photos on Your Phone

Aleksandrs Muiznieks/Shutterstock.com Phone cameras are incredible. They’ve got cutting-edge hardware and software and are highly convenient since they’re always on you. But like traditional cameras, they work best with tripods, ... Read more »

Do multimillion-dollar dinosaur auctions erode trust in science?

At the turn of the 20th century, museums started funding excavations to unearth dinosaur bones. Credit: Museum Wales Dinosaurs are in the news these days, but it’s not just for ... Read more »

Native Americans' decades-long struggle for control over sacred lands is making progress

Mauna Kea Observatory, Hawaii, United States. Credit: Unsplash/CC0 Public Domain Who should manage public land that is sacred to Native Americans? That is the question that the United States government ... Read more »

WazirX fires 50-70 employees amid ED probe, dipping trade volume

IANS Indian crypto exchange WazirX fires 50-70 employees Cryptocurrency exchange WazirX fired about 50-70 employees on September 30 amid declining business, people familiar with the matter said.Employees from business development, ... Read more »

Startup of the Week: t2

 t2 was founded in 2021 Mengyao Han. The startup focuses on the curation value users contribute with their attention. t2 is a decentralised world for publishing and reading. Website: https://www.t2.world/ ... Read more »

YouTube Could Hide 4K Videos Behind a Paywall

ElenaR/Shutterstock.com Last year Google added an extra fee for YouTube TV subscribers trying to stream TV in 4K, and now it looks like the company could be ready to do ... Read more »

Black Panther: Wakanda Forever trailer 2 shows the new Black Panther

Marvel released the first emotional Black Panther: Wakanda Forever trailer during Comic-Con in July, giving us a few teasers of what’s to come in the sequel. We haven’t seen any ... Read more »

Flying under the radar: Multi-drug-resistant bacteria hides among gut bacteria of asymptomatic human carriers

A 3D representation of the human gut microbiome where CPE and diverse bacteria reside. Credit: A*STAR’s Genome Institute of Singapore Scientists from A*STAR’s Genome Institute of Singapore (GIS) have discovered ... Read more »

A better way to find RNA virus needles in database haystacks

Graphical overview of the pipeline starting with the RNA Virus MetaTranscriptomes (RVMT) database to uncover the expansion in RNA virus diversity. Credit: Simon Roux A zoo once offered a coloring ... Read more »

Internet cable reveals the source of underwater vibrations

Credit: Pixabay/CC0 Public Domain Scientists have harnessed Internet-transmitting fiber-optic cables to overcome a long-standing geophysical challenge: identifying where seismic noise in the ocean originates. Tiny vibrations of Earth called microseisms ... Read more »

A high-performance catalyst that dissolves polyester and realizes chemical recycling

Catalyst development not only for efficient conversion of plant oils (FAEs) to value added chemicals (fine chemicals) and raw materials for polymers, but also for efficient depolymerization (chemical recycling) of ... Read more »

Opinion: Why we need to ban gas in New York State buildings

Credit: Pexels I would never smoke in my apartment, but for my entire adult life I have been polluting my home by cooking and heating with gas. A 2020 report ... Read more »

Success in synthesizing biodegradable plastic materials using sunlight and CO2

Visible light-driven 3-hydroxybutyrate production from acetone and CO2: Utilizing sunlight and biocatalysts, Osaka Metropolitan University scientists synthesized 3-hydroxybutyrate, a biodegradable plastic material, from acetone and CO2. Mimicking natural photosynthesis, the ... Read more »

Flexible solid electrolytes for all-solid-state lithium batteries

Photographs of ultrathin Li6.4La3Zr1.4Ta0.6O12-based film. Credit: Qingya Guo, Ningbo Institute of Materials Technology and Engineering Garnet-type solid electrolytes are attracting great interest due to high ionic conductivity and excellent electrochemical ... Read more »

Uncovering the secrets of materials degradation in a lithium-ion battery

Schematic diagram of KIST battery analysis platform. Credit: Korea Institute of Science and Technology (KIST) Amid global efforts towards carbon neutrality, automakers all over the world are actively engaged in ... Read more »

Investigating the impact of new energy efficient streetlights on insects

Credit: Pixabay/CC0 Public Domain New energy efficient streetlights are playing a major role in influencing insect behavior, says NIWA. The discovery comes from a four-year study investigating Ōtautahi—Christchurch city’s switch ... Read more »

National Cinnamon Roll Day Is Tomorrow: Freebies at Cinnabon, Cinnaholic and More

Don’t miss out on BOGO cinnamon rolls. Cinnabon While you’re out grabbing your morning or afternoon coffee, don’t forget to pick up a cinnamon roll tomorrow. Tuesday, Oct. 4 is National ... Read more »

Combining 3D printing and sensors for safer, cheaper flying

Credit: Frank Peters, Shutterstock The aeronautical industry has transitioned to the use of advanced composite materials because of their lightweight properties, strength and durability. Together with increased aircraft productivity and ... Read more »

European observatory NOEMA reaches full capacity with twelve antennas

Observations of unprecedented quality: the NOEMA observatory uses its antennas to scour the universe in the radio range. Credit: Jérémie BOISSIER / IRAM The NOEMA radio telescope, located on the ... Read more »

Cosmic ray protons reveal new spectral structures at high energies

Observation of Spectral Structures in the Flux of Cosmic-Ray Protons from 50 GeV to 60 TeV with the Calorimetric Electron Telescope on the International Space Station. Credit: Waseda University Cosmic ... Read more »

What is a wetland? An ecologist explains

Credit: Unsplash/CC0 Public Domain Wetlands are areas of land that are covered by water, or have flooded or waterlogged soils. They can have water on them either permanently or for ... Read more »

How cells turn independent and regulate functions

Credit: Pixabay/CC0 Public Domain With his thesis, Jacob Lewerentz, Department of Molecular Biology at Umeå University, contributes to the knowledge about how cells regulate their protein level and adapt to ... Read more »

Do plants have a microbiome?

Credit: A3pfamily, Shutterstock Our bodies are home to trillions of invisible microorganisms, including bacteria, fungi, viruses and miniscule animals. These live on our skin, in our mouths, even within our ... Read more »

New Tai Chi Skilled Robot is Built on Human-Centered Intelligence

As part of her assistive technology research, an assistant professor of biomedical engineering created a sophisticated humanoid robot. (Photo: Jerhard Janson/Pixabay)Robot Action Figure Humanoid Robot Skilled in Tai Chi The ... Read more »

Allcargo opens 100 acre logistics park in Malur

Agencies According to company’s chairman Shashi Kiran Shetty, Allcargo Logistics’ record performance is a result of sustained strategic initiatives over last few years. Publicly listed logistics solution provider Allcargo Logistics ... Read more »

Supreme Court to scrutinize US protections for social media

ReutersThe US Supreme Court on Monday agreed to hear a challenge to federal protections for internet and social media companies freeing them of responsibility for content posted by users in ... Read more »

Apple loses second bid to challenge Qualcomm patents at US Supreme Court

ReutersThe US Supreme Court on Monday again declined to hear Apple Inc’s bid to revive an effort to cancel three Qualcomm Inc smartphone patents despite the settlement of the underlying ... Read more »

IT Consumption can’t be stopped, but it can be more sustainable

Written by Simon Young, Director and VP Sales, UK and Ireland for CHG-MERIDIAN UK business leaders face a triple-headed challenge. As well as dealing with a challenging economy, and environmental ... Read more »

Tesla’s First Robot Demo Was Very Disappointing

Tesla Friday was AI Day 2022 at Tesla, and the company revealed an actual Optimus humanoid robot prototype. Last year the company simply brought on a man in a robot ... Read more »

How planting trees in some areas could actually increase atmospheric warming

Net equivalent carbon stock change obtainable from the afforestation of suitable nonforested drylands.(A to G) NESC outcomes calculated as the net difference between the carbon sequestration potential (ΔSP) and the ... Read more »

Using AI to target a laser for killing roaches

Summary diagram of the laser setup: 1—transparent box containing cockroaches, 2—Pi cameras, 3—Jetson nano, 4—laser, 5—galvanometer, 6—laser beam, L—distance between laser device and target. Credit: Oriental Insects (2022). DOI: 10.1080/00305316.2022.2121777 ... Read more »

7 Qualities To Look For In An eLearning Course Development Software

Photo : fauxels Among the factors that promote effective learning is the use of an eLearning authoring tool to produce good training content. Despite the abundance of commercially accessible learning ... Read more »

Alternative earnings disclosures are high-quality if women are on board

Credit: Pixabay/CC0 Public Domain Firms are likely to be more transparent about their alternative earnings if there are at least three women on their board, new research published in the ... Read more »

Not enough: Protecting algae-eating fish insufficient to save imperiled coral reefs, study concludes

Turbinaria algae coat the corals, foreground, at a north shore reef on the French Polynesian island of Mo’orea. Turbinaria is a genus of brown algae found primarily in tropical marine ... Read more »

Artificial enzyme splits water more efficiently

Enzyme-like water preorganization in front of a Ruthenium water oxidation catalyst. Credit: Würthner group / University of Wuerzburg Mankind is facing a central challenge: It must manage the transition to ... Read more »

There was one person who didn’t embarrass himself in the Elon Musk texts

Agencies The text by Musk was in response to the micro-blogging platform’s decision to seek information from the SpaceX boss on how he planned on acquiring the money for the ... Read more »

Disney Channels Like ESPN, FX Restored to Dish, Sling TV After Blackout, Report Says

Disney and Dish made a temporary deal as they work on a contract extension. Read more »

The promising impact of Web3 on data privacy and security

As we continue to enjoy user-generated content (UGC) and applications enabled by the current Social Web (Web 2.0), we cannot ignore the imminent rise of Web 3.0 (Web3). Dubbed the ... Read more »

Hospitality tech start-up hires ex Novus Marketing Director as Chief Marketing Officer

Ambl – the brand-new platform set to transform and build recovery for the hospitality industry by matching people with real-time availability – has announced the appointment of Simon Gaske as ... Read more »

New forensic analysis of electronical devices unveils dangers of inadequate data disposal for individuals and businesses

Thousands of sensitive documents recovered from the laptops purchased online which their owners believed to have been ‘wiped’. Personal data found across 80% of devices searched. 366 files recovered contained ... Read more »
Breaking thailand news, thai news, thailand news Verified News Story Network