Threat Intelligence

11/9/2017
03:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Stealthy New PLC Hack Jumps the Air Gap

Researchers at Black Hat Europe next month will demonstrate a data-exfiltration attack on Siemens PLCs that uses combination of code manipulation and Radio Frequency (RF) emissions.

Once again, a new hack shatters the myth of the air-gapped industrial network.

Researchers have devised a sneaky reconnaissance attack that drops rogue ladder-logic code onto a Siemens programmable logic controller (PLC) to gather sensitive plant data from an industrial network with no Internet connection, and then siphons it remotely via Radio Frequency (RF) transmission. A nation-state or other hacker group could use the stolen information for a future attack that sabotages the plant's physical operations.

"We know that two-thirds of industrial networks are air gapped," says David Atch, vice president of research for CyberX, who along with CyberX researcher George Lashenko, will demonstrate their research at Black Hat Europe next month in London. "We decided to look for a way to [exfiltrate data from] the air-gapped network and we decided to try something more unique and with more of a cover" to avoid detection, he says.

Organizations often have a false sense of security if their networks are air-gapped, or isolated from the Internet. But the infamous Stuxnet attack, where a rigged USB stick carried malware into Iran's Natanz nuclear facility, demonstrated how it only takes one infected machine or device to get connected to the network to wreak destruction.

The ladder logic code Atch and Lashenko wrote for the Siemens S7-1200 PLC in their hack generates frequency-modulated RF signals that ride just under the AM radio band and encode the stolen data, which could be anything from network topology details to nuclear blueprints. The data gets decoded via a Software Defined Radio and PC connected to the targeted site with an antenna. The researchers say an attacker could either fly a drone over the plant to siphon the stolen recon, or set up the SDR and PC nearby for collection.

The malicious code is written to the storage architecture of the PLC so that it remains on the device even if the PLC gets rebooted. "These devices don't have radio transmitters," Atch notes, but the ladder-code logic makes the device generate a radio frequency.

There are no vulnerabilities per se that the researchers exploited, and it's an attack that could be waged on any vendors' PLC. Their attack basically takes advantage of the architecture and inherent weaknesses in industrial networks, which typically have weak or no authentication, for example. PLCs, which control physical processes such as water and power generation, don't run anti-malware due to their embedded real-time operating systems and limited memory and CPU, so they can be easily infiltrated with malicious logic code, the researchers note.

The attack would first require dropping that code onto the PLC. That could occur via the compromised laptop of a plant engineer performing maintenance, or a USB, for example, Atch explains.

Not the First PLC Breach

PLCs have been the darling of white-hat hackers since the discovery of Stuxnet in 2010. Stuxnet targeted an older model of Siemens' S7 PLC to ultimately sabotage centrifuges at Natanz. Since then, researchers have poked around at PLCs to explore other ways they can be abused by the bad guys.

Researchers at last year's Black Hat Europe in London, for instance, built a "silent" rootkit for PLCs that like CyberX team's, sat directly on the PLC. But it manipulated the I/O peripherals and PLC process and did not target the PLC logic code like CyberX's attack does.

Ali Abbasi and Majid Hashemi's rootkit ran in dynamic memory of the PLC, where they said it was less likely to be detected. "In our attack, the PLC logic and PLC runtime remain intact," which kept it hidden, Abbasi explained in an interview with prior to Black Hat Europe 2016. The rootkit can manipulate the I/O and PLC process, such as opening or closing a pressure valve.

And earlier that year at Black Hat USA in Las Vegas, researchers from OpenSource Security demonstrated PLC-Blaster, a PLC worm that spreads on its own among PLCs. Researchers Ralf Spenneberg and Maik Bruggemann used a Siemens S7-1200 PLC for their attack, demonstrating how malicious code can be added to a PLC and go undetected, issuing rogue commands to the operation of connected machinery. PLC-Blaster also searched for and infected other PLCs on the same network.

CyberX's Atch and Lashenko say their hack serves as another wakeup call for industrial network operators who think their systems are untouchable if they're not connected to the Internet, aka air-gapped. 

They were able to exfiltrate data from the Siemens PLC from a distance of one meter, but Lashenko says that distance could be extended with the right type of antenna and code. With a drone, that distance could be expanded to 10 meters, for example.

The best way to defend against air-gapped network attacks is to employ network monitoring to detect unusual activity in the network, notes Phil Neray, vice president of industrial security at CyberX. "If someone tried to download new ladder logic onto a PLC … it would be identified and generate an alert," he notes.

But unlike PCs, PLCs don't have authentication, antivirus, or endpoint detection and response agent tools to catch malware or suspicious activity. "Once an attacker gets into the PLC, it's easy and he can stay there a long time."

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11763
PUBLISHED: 2018-09-25
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
CVE-2018-14634
PUBLISHED: 2018-09-25
An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerabl...
CVE-2018-1664
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 echoing of AMP management interface authorization headers exposes login credentials in browser cache. ...
CVE-2018-1669
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote atta...
CVE-2018-1539
PUBLISHED: 2018-09-25
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 could allow remote attackers to bypass authentication via a direct request or forced browsing to a page other than URL intended. IBM X-Force ID: 142561.