The proliferation of programmable logic controllers (PLCs) with web servers embedded within them has provided attackers with a way to launch potentially catastrophic remote attacks against operational technology (OT) for industrial control systems (ICS) in critical infrastructure sectors.
To highlight the threat, a team of researchers at the Georgia Institute of Technology developed malware that an adversary could use to remotely access a web server embedded within a PLC and attack the underlying physical system. An attacker could use the malware to manipulate output signals to actuators, spoof sensor readings, disable safety systems and perform other actions that could trigger potentially devastating outcomes, including even loss of life, the researchers said. researchers.
PLCs are the components of ICS that control the operation of physical processes and machinery within various manufacturing, industrial and critical infrastructure contexts. A The PLC receives input from various connected sensors and other input sources, and uses data to send commands to physical systems based on pre-programmed controlled logic. The goal of PLC malware in general is to influence output in such a way as to disrupt or sabotage the physical process that a PLC may be controlling.
A web-based PLC malware similar to Stuxnet
Often, malware targeting PLC and ICS systems requires attackers to have some type of physical or network access to the target environment and is often platform specific and easily erasable via factory reset. In the article, Georgia Tech researchers Ryan Pickren, Tohid Shekari, Saman Zonouz, and Raheem Beyah described their Web-based PLC malware as fundamentally different.
Most PLC malware typically infects the firmware or control logic of controllers, while new web-based malware attacks the front-end web layer in PLCs with malicious JavaScript, eliminating some of the limitations that such malicious code has faced in past.
“This approach has significant advantages over existing PLC (control logic and firmware) malware techniques, such as platform independence, ease of deployment, and higher levels of persistence,” the researchers said.
However, the cyber attack outcomes for the new strain are the same as other successful PLC attacks. In the $1 billion Stuxnet campaign for example, which some have attributed to the US and Israeli governments – Attackers targeted Siemens PLCs to spin high-speed centrifuges at Iran’s Natanz uranium enrichment facility so fast that they essentially destroyed themselves.
Since then there have been numerous other attacks that have highlighted the damage that adversaries can unleash on systems that control physical processes. Notable examples include the BlackEnergy malware used by Russian threat actors disrupt Ukraine’s electricity grid in 2016; THE Triton/Trisis attack on a Schneider safety system at a petrochemical plant in Saudi Arabia; AND UNCONTROLLERa set of malware tools targeting PLCs from Schneider and Omron.
PoC Cyber Attack: Easier to Implement and More Persistent
The web-based attack developed by the researchers basically involved a test scenario in which a threat actor executes a Stuxnet-like attack on a widely used PLC that, in this case, controlled an industrial motor similar to one used to power centrifuges during uranium enrichment. . Like many modern PLCs, the one used by the researchers featured a Web-based interface for remote monitoring, programming and configuration.
For the test scenario, the researchers assumed that the plant where the PLC is located had engineering workstations connected to both the corporate and industrial networks. The researchers also assumed that the attacker had some basic knowledge about the physical process controlled by the test PLC and some other non-specific details of the environment.
In their paper, the researchers described how an attacker could gain initial access to the PLC by remotely injecting malicious code into the web server in various ways and then using its legitimate application programming interfaces (APIs) to disrupt the underlying mechanisms . One of the test scenarios involved the attacker tricking an ICS operator into visiting a malicious web page that automatically downloads PLC malware into the PLC web application by concatenating three distinct zero-day vulnerabilities discovered by researchers in the web application.
Among other things, the web-based PLC (WB PLC) malware developed by the researchers would have allowed an attacker to physically damage the industrial engine they were controlling, abuse administration settings for further compromise, and steal data for security purposes. industrial espionage.
“Our Web PLC malware resides in PLC memory, but is ultimately executed client-side by various browser-equipped devices throughout the ICS environment,” the researchers noted. “From there, the malware uses browser-based environmental credentials to interact with the PLC’s legitimate web APIs to attack the underlying real-world machinery.” This type of malware is easier to control and is mostly platform independent, they said.