Posted by Jules Pagna Disso and Tom Wilson on Jan 30, 2015 10:43:38 AM
Industrial Control Systems (ICS) are very important components of our critical infrastructure. Programmable logic controllers (PLC) are some of the well-known types of control system components. PLCs are computers used for automation of typically industrial electromechanical processes, such as the control of machinery on factory assembly lines, amusements rides, light fixtures, power stations, power distribution systems, power generation systems, and gas turbines, to name a few.
There are different types of PLC, which can be classified into three major categories:
- Logic controller – Sometimes called a ‘smart or programmable’ relay. Simple to program and cost effective for low Input/Output (I/O), slower speed, applications
- Compact PLC – An intermediate level offering increased instruction sets and higher I/O capacity than a logic controller
- Advanced PLC – Offering greater processing power, larger memory capacity and even higher I/O expandability and networking options
There is no doubt that protecting PLCs from cyber-attacks is very important as they directly control machineries. In critical infrastructure, any successful attack on PLC could be as serious as the Siberian gas pipeline explosion in 1982.
What exactly is the attack surface of PLCs? What can an attacker do against PLCs? Why should we care about given PLC a higher level priority when protecting critical infrastructure?
I will start by ruling out the supply chain problem as one of the main problems with any device purchased from a foreign country. I will barely scratch the surface if I start discussing the supply chain problems. There have been many cases where top governments had their supply chain completely wrong and were sold the wrong products.
Beyond the supply chain problems, many statistics show that human errors are still high enough to be serious concern for critical infrastructure. In addition to human errors, insider attacks remain one of the top security concerns for critical infrastructures and critical environments. Too many questions remain unsolved as to what would be an effective solution to tackle the insider threat.
It is generally agreed that training is very important. How many people consider security as their problem? How many people would still use USB even when not authorised? I recently led a policy review for an organisation. When we started discussing the access to removable media, the room was split into two sides. Some people confirmed that there was a zero USB policy in the organisation, whilst others argued that there is another policy that allowed certain people to use USBs.
It is good practice that critical environments have the “need to know” policy by default. Imagine the case where a picture of a party, a visit to a plant or a picture of someone working in plant is posted online showing the software, hardware name and version used in their work environment. How invaluable could that be to an attacker? Such information would be invaluable for an attacker. Likewise, social engineering can be used against people working in critical environments to reveal information about their systems.
Communications: Most PLCs have a wide range of communication interface they can support. I am only going to focus on the main security issues.
Network topologies: Certain network topologies are more prone to attacks than others. It is important that the right topology is in place to allow strong security to be built around it. When choosing a topology, the following issues should be considered: security, bandwidth, redundancy and convergence, disruption during network upgrade, readiness for network convergence.
Network communication protocols: Many communication protocols are proprietary and only well known to the manufacturer. This means that the security of such protocols is only as good as their team. Despite many of the protocols being proprietary, many open source tools could be used to determine the nature of this. Also, these protocols have not been built with security in mind. Many efforts are ongoing to secure protocols used in PLC communications, which is good news.
VPN: many people consider VPN as the ultimate security. During an audit at a fairly large plant, the computer operator during his break was listening to music from a USB on a computer that was used to VPN into the plant. The security implications here are clear.
Fuzzing, in experimental settings, have cause serious problems to PLCs. It is still the case that a large ping request will cause some disruption of communication between the PLC and any other device communicating via Ethernet.
PLCs websites can be reachable via search engines. This again is another security problem that could cause some serious disruption to the plant’s operations.
Logic inside the PLC
Once attackers are in the reach of a PLC because they have managed to get access to computer systems that lead them to the control system network, there are a number of things they can achieve:
- Send inaccurate information to system operators, either to disguise unauthorised changes, or to cause the operators to initiate inappropriate actions
- Change alarm thresholds or disable them
- Interfere with the operation of plant equipment, which can cause modification to safety settings by sending malformed packets
- Blocking or delaying the flow of information
- Blocking data or sending false information to operators to prevent them from being aware of certain conditions or to initiate inappropriate actions
- Overtaxing staff resources due to simultaneous failures of multiple systems
- Steal sensitive data (using open source software in a form of command line i.e. no installation required, an attacker can download the logic running into a PLC)
- Upload a new firmware that would not necessarily require a reboot of the PLC
- Execute exploits
- Activate the website on the PLC if not already active
- Modify the website to allow remote access
It is very important that attackers do not have access to the logic inside the PLC. Stuxnet and the case of Sibera gas pipeline explosion are two real world cases that show the malicious use of PLCs can have serious consequences.
PLCs are increasingly designed to integrate networking functionalities. Consequently, a good number of PLCs offer a web interface. A large number of SCADA web interfaces have been discovered through Shodan search engines. It still the case that Google and other search engine index folders that were not meant to be indexed. Folders of computers available online via DMZ that are not meant to be indexed by search engines need to be marked in the robots.txt. The lack of understanding has made Google hacking command very successful. Once the website on the PLC is available to the attackers, they then have an opportunity to do a full unauthorised penetration test to find ways to get into the system. Using brute force attack or any other method to discover the password, the attackers can then gain full access to the website. Once authenticated the attackers can:
- Make unauthorised changes to instructions in local processors to take control of master-slave relationships between Master Terminal Unit (MTU) and Remote Terminal Unit (RTU) systems
- Prevent access to legitimate users
- Modify the ICS software, configuration settings or infecting ICS software with malware
- Modify Tag values
Master terminal units (MTU) in SCADA system is a device that issues the commands to the Remote Terminal Unit (RTUs), which are located at remote places from the control, gathers the required data, stores the information, and process the information and display the information in the form of pictures, curves and tables to human interface and helps to take control decisions.
Attackers are also able to cause serious damage to a plant operation without gaining full access to the PLC web site interface (CVE-2014-2259, CVE-2014-2254, and CVE-2014-2255)
Software is rarely bug free. Over the last few years, the security community has been very interested in finding vulnerabilities in ICS hardware and software. Digitalbond has previously run an exercise dedicated to finding bugs in PLCs. The results found far more bugs and vulnerabilities than expected.
Long gone are the days where Mac OS and Linux were considered very secure. PLCs, just like any other computers, have an operating system (Microware OS-9, VxWorks). Vulnerabilities and bugs exits in OS-9 and VxWorks just as they exist in Microsoft Windows OSs, Linux, Mac OS, Android, etc. Unlike regular computer OSs, patching operating systems in PLCs against known bugs and vulnerabilities is a very challenging. Many things need to be considered before deciding to update PLCs operating system. Even though patching is very important for any computer system security, malware such Havex Remote Access Trojan (RAT) have infected update installers from various ICS vendors. Such malware leaves ICS users baffled as to whether they should update and get infected or not update and get infected anyway.
The concept of the ‘zero day’ attack is another challenge for the security of the operating system. When a vulnerability is not published, it can be exploited by attackers without being detected. There is very little chance that current security mechanisms will detect such attacks.
Hardware in PLCs is built with very specific specifications. One of their limitations is their ability to handle complicated and multiple tasks at the same time. Traditionally, PLCs do not offer a great deal of memory. This implies that any logging capabilities have to be built out of the PLCs. PLCs should allow complex logging capabilities in order to allow in-depth forensic capabilities.
One of the biggest weaknesses of most PLCs is that security is not built in by design. Most generally, any compatible code can run on a PLCs despite its origin (legitimate or malicious). Open source tools allow the organisation blocks (OB) to be downloaded and uploaded without authentication. The OB1 for instance, are loaded and executed without a simple hash function check. If attackers have knowledge of the different Tags used in a project that may control a critical infrastructure, they can then use a completely different logic that could have catastrophic consequences. The attackers can develop his knowledge of an internal system using different elements such as (HMI, PLC’s website, documentation, and source code to name a few).
In all fairness, certain organisation block (OB) will require a reboot of the PLC for the code to take effect. However, it takes less than 3 seconds to reboot a PLC remotely. It is very unlikely that the operators will not notice any difference from the control screen. In some other environments, three seconds of inactivity would cause serious alerts, but this is not the case everywhere. When modifying the logic, if only timers are modified, the PLC will not generally require a reboot for the new timers to take effect. A built-in security is necessary in a PLC.
A good security by design for PLCs should allow authentication of devices, access control, auditing and logging, data integrity control, secure booting, ladder logic execution control and encryption at the very least.
PLCs are as important in control system networks as they would be in any other network environment. It is essential that they are managed with the highest priority. Any access, maintenance, upgrade, test, modification, downtime of PLCs need to be accounted for and these policies need to be enforced.
Programmable Logic Controller security can be summarised as show in Figure 1.
PLC Threat Landscape
Why should we care about PLC security?
If we follow the diagram by NERC, it is very likely that most PLCs will either have a critical service, operate critical system or service, or used in a critical system. If we care about any of our critical processes, functions or systems, we definitely should care about the various components upon which they depend. Figure 1 describes the process advocated by NERC to identify critical assets.
Critical Asset Identification
In conclusion, securing a PLC is paramount in securing critical infrastructure. PLCs will generally support critical function in a plant or their will be used in a critical path of production making them a critical component. Many layers of protection need to be in place for PLC to be secure. Human risk factors, the protection of the logic inside the PLC, secure communications, application layer security, operating system security, hardware security and last but not least, the management of all aspects of all of the above security requirements.
A simple picture taken in a work environment could provide an attacker with the last piece of information missing to be successful in his/her operations. PLCs are very important components of critical infrastructure and should be protected at all costs.
Protecting PLCs alone would not solve the problem against cyber-attacks. General governance should be in place to ensure that all aspects of security within the organisation are properly addressed. A holistic approach to security is highly recommended. Please read more about Nettitude holistic security at Cyber breaches response in-depth.