Claroty's Team82 security researchers discover new attack techniques against industrial plants: Evil PLC attack. PLCs – programmable logic controllers – or programmable logic controllers (PLCs) can trigger engineering workstations to run malicious code to manipulate processes or run ransomware.
Programmable logic controllers (PLCs) are essential industrial devices that regulate manufacturing processes in all critical infrastructure areas. This makes them an interesting target for cybercriminals and state-sponsored attackers, such as the Stuxnet attack on Iran's nuclear program. Security researchers at Team82, the research arm of cyber-physical systems (CPS) security specialist Claroty, have now been able to demonstrate that industrial control systems can not only act as a target, but can also be used as a weapon to target engineering workstations for proliferation exploit malicious code and further penetrate OT and corporate networks. This new attack technique called "Evil PLC attack" was successfully carried out as part of proof-of-concept exploits at seven well-known automation manufacturers (Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO and Emerson). In the meantime, most of the affected manufacturers have published corresponding updates, patches or remedies against Evil PLC attacks.
Evil PLC attack
Most attack scenarios involving a PLC (PLC) involve access to and exploitation of the controller. PLCs are attractive targets for attackers because typical industrial networks have dozens of PLCs performing various operations. Attackers who want to physically disrupt a specific process first have to identify the relevant PLC in a relatively complex process. However, the safety researchers followed a different approach, focusing on the PLC as a tool and not on the target, i.e. using the PLC to access the engineering workstation: The engineering workstation is the best source of process-related information and has access to all other PLCs in the network. With this access and information, the attacker can easily change the logic on any PLC.
The quickest way to get a technician to connect to an infected SPS is for the attackers to cause the SPS to malfunction or bug. This forces the technician to connect and use the technical workstation software to troubleshoot. As part of the investigation, this new attack vector was executed on several widely used ICS platforms. In doing so, the specialists found various vulnerabilities in each platform that enabled them to manipulate the PLC in such a way that auxiliary data specially created during an upload process causes the engineering workstation to execute malicious code. For example, the workstations were infected with ransomware via the Schneider Electric M580 and Rockwell Automation Micro800 controllers and the GE Mark VIe control system.
SPS (PLC) misused as the linchpin
“We consider the Evil PLC attacks to be a new attack technique. This approach attacks the PLC with data that is not necessarily part of a normal static/offline project file, and allows code to execute on a technical connect/upload operation,” explains Sharon Brizinov, Directory of Security Research at Claroty . “With this attack vector, the target is not the SPS, as was the case with the Stuxnet malware, for example, which covertly altered the SPS logic to cause physical damage. Instead, we wanted to use the PLC as a fulcrum to attack the engineers and workstations and to gain deeper access to the OT network.” It is worth noting that all the vulnerabilities found were on the engineering workstation software side and not in the PLC firmware. In most cases, the vulnerabilities are due to the software fully trusting the data coming from the PLC without performing extensive security checks.
More at claroty.com
About Claroty Claroty, the Industrial Cybersecurity Company, helps its global customers discover, protect and manage their OT, IoT and IIoT assets. The company's comprehensive platform can be seamlessly integrated into customers' existing infrastructure and processes and offers a wide range of industrial cybersecurity controls for transparency, threat detection, risk and vulnerability management and secure remote access - with significantly reduced total cost of ownership.