Black Hat: Worm Growing in PLC

Monday, August 8, 2016 @ 02:08 PM gHale

By Gregory Hale
Stuxnet will have a long legacy within the industrial control system environment, but one of the positives of that assault is it is spawning ideas where researchers are thinking about new ways to attack and, therefore, protect systems.

One of those ideas is figuring out a way to infect programmable logic controllers (PLCs) from other PLCs.

Black Hat: Hacking a Car, Again
Black Hat: The Forensics Factor
Black Hat: Drone ICS Attack Possible
Black Hat: IT-OT Learning Curve

“After Stuxnet, we wanted to see if a worm could grow and expand in a PLC,” said Maik Bruggemann, software developer and security engineer at OpenSource Security, during his Thursday briefing at Black Hat USA 2016 in Las Vegas.

In the case of Stuxnet, the worm spread among the PCs of the Natanz enrichment facility in Iran by exploiting vulnerabilities in the Microsoft Windows operating system. The PLC software ended up modified to the point where the centrifuges ended up destroyed while operators thought the system was running in a normal fashion.

Taking that knowledge, Bruggemann wanted to see if a worm could spread only among the PLCs themselves, not using a PC. They would find a way to introduce it into the plant on a PLC and then allow it to spread to other PLCs.

In this test, Bruggemann’s team used a Siemens SIMATIC S7-1200v3. They wrote the worm in Structured Text (ST), one of the languages used to develop PLC software. Siemens current versions S7-1200v4 and S7-1500 are not susceptible to the attack.

To infect the initial PLC, the worm starts by initiating a connection to a probable target. Once there is a connection, the worm checks whether there is an infection already on the target. If no infection ends up detected the worm will stop the execution of the user program to enable the transfer of its own code. The worm then copies itself to the target and starts the target PLC again.

That is the beginning.

Bruggemann showed an example of an assembly line controlled by four PLCs. He was able to infect one. Once infected, the single PLC then passed along the virus to the three other PLCs, compromising the entire process.

Bruggemann then showed the line running and then what could happen after taking control. At one point the line is working in a normal fashion and when it got the command, the line ran wildly out of control. At another point it was able to kill the entire process.

While Bruggemann used a Siemens-based product, that was not the only supplier susceptible to the potential worm attack.

“We looked at vendors wondering if it was just Siemens. We checked PLCs from other vendors and there were other vendors that were vulnerable.”

There were certain products from Rockwell and Mitusbishi that were vulnerable as well, Bruggemann said.

In terms of preventing this type of attack, the PLC S7-1200v3 offers three different protection features and the OpenSource researchers evaluated how they worked. The one feature that worked against this attack was access protection, the researchers said. The feature prevents access to the PLC using the S7CommPlus protocol without a password. Three different protection levels are available. The access protection can protect the PLC against the worm attack.

“Traditionally such networks are well protected against attacks from the outside. By introducing a PLC already infected with the worm, the PLC is the origin of the attack and not just the target,” said OpenSource’s Ralf Spenneberg in a paper that accompanied the briefing. “Infected PLCs may be distributed by a supplier of an industrial component or during the transport of such a component. The worm may then spread internally and does not require any standard PCs or servers. It will therefore not be detected by any antivirus product. Furthermore, the plant operator has very few options to detect the malware on the PLCs.”