back to article Why bother cracking PCs? Spot o' malware on PLCs... Done. Industrial control network pwned

Security researchers have demonstrated a new technique for hacking air-gapped industrial control system networks, and hope their work will encourage the development of more robust defences for SCADA-based systems. Air-gapped industrial networks are thought to be difficult if not impossible to hack partly because they are …

  1. Anonymous Coward
    Anonymous Coward

    Reminds me of...

    ...the use of optical recon of the flashing lights on a network card to remotely view the data

    Remote Data Exfiltration

  2. Anonymous Coward
    Anonymous Coward

    Hummm

    There are multiple ways that attackers can deploy reconnaissance malware to an air-gapped network,

    The ways listed in that paragraph all depend on the security IT section not doing its job.

    Updates - no matter where they come from should be tested and scanned before deployment.

    Infected USB drives and/or contractor laptops - these should automatically be suspect and scanned well before they get near the air-gapped system.

    Malicious ladder logic code - anyone that can't spot anomalies in that code shouldn't be coding for air-gapped systems.

    All of the above are standard security requirements that my company insists on at the two industrial complexes we maintain. If management doesn't like it we walk away as we did in one case

    1. elDog

      Re: Hummm

      And how do you scan a "Bad-USB" before it is plugged into a sensitive device?

      From what I understand these kits don't respond to requests for information about their inner workings, they just rely on the hosts installing the kit's payload when setting up communications.

  3. Paul Crawford Silver badge

    Bandwidth?

    "other techniques designed to increase the bandwidth of transmissions"

    The limiting factor is most likely to be the available SNR as that places an ultimate limit on the data rate (Shannon limit).

    If the PCs/controllers are well designed then RF leakage should be very small, and if you are relying on operations in the low tens of MHz region then background noise in most areas will already be way above the receiver's noise figure. So unless you are *really* close I doubt you could get more than tens of bits per second out.

    1. thames

      Re: Bandwidth?

      The PLC will be located in an electrical enclosure, in most cases made of steel. RF isolation - in both directions - is a major function of the cabinet (physical protection, electrical safety, and limiting the spread of fire being the other main purposes).

      Meanwhile there will be shed loads of RF hash put out by electric motors, solenoids valves, motor drives, and miscellaneous electronic gadgets. Picking anything meaningful up from a drone flying overhead is not likely.

      The most plausible scenario will be the one that Stuxnet used. Just use bog standard Windows viruses and take over the PCs which inevitably get connected to PLCs either full time, or from time to time. It's rather curious how little mention Stuxnet got in the article, considering that it's the canonical example for control system hacking.

      As for the S7-1200, that is the series that covers the low end of the PLC for Siemens. Typical applications for these don't get connected to any sort of network at all, let alone an air gapped one. I suspect it was chosen for the experiment simply on the basis of cost, as the larger more complex models of PLC can get rather expensive.

      As for the supposed application, if you really want to know the topology of the network, just use standard off the shelf Windows viruses to infiltrate the business network and download the electrical drawings and PLC program backups from the drive shared used by the engineering and maintenance staff. Or just phone up someone and tell them you're a company quoting on upgrading one of their machines and ask them to email the materials to them. It's not like this custom built stuff is generally considered to be commercially valuable.

  4. Anonymous Coward
    Anonymous Coward

    Solution looking for a problem

    Industrial control networks are notoriously easy to compromise. because security has never been a top concern. Money, making money now, is the #1 concern, fuck what may happen in the future.

    Hoping to encourage the development of more robust defences for SCADA-based systems is laudable and is as old as SCADA systems themselves. No one familiar with SCADA systems think they are in difficult to hack, particularly if only to create chaos, and those concerned about technical issues have always wanted better security.

    As a result there is no need to add code to create RF signals. RF monitoring technology is now ancient if one wanted to use those methods. I suspect inserting code is used to help others understand that RF leakage is a security concern. Once they understand that it becomes easier to explain that all parts of the system can leak RF that can be used to determine what the system is doing.

    "Hacking" SADA systems needs no such equipment, as shown by Stuxnet over a decade ago. Even easier is to "ask" someone with access to the building to install monitoring equipment. That equipment can be as common as a camera or wifi usb adapter. The OS didn't automatically install the drivers? No problem the password is as old as the system itself and if not written in the panel can be had by asking or just looking if that camera isn't obvious, or sometimes it is better if it is very obvious.

    The basic problem is that no one in charge of the money really cares about security. If they did there would be no lowest bidders, no endless traffic of poorly trained and poorly paid, untrustworthy workers with access during and after construction. Sure, sometimes, there is a pretense of security but that's all that is ever required. Far more important is completion on time and under budget. Let the future deal with any results, that'll be a different time, different crew, different CIO, CEO, different board and most importantly a different budget.

    BTW many of those " air-gapped" SCADA systems are not. IME most get connected so the contracting company, sometimes employees, can further reduce costs by not having to travel to site or by sub-contracting work to off site companies, companies that do not have to meet site security requirements. Sometimes that wifi adapter gets install by site personnel who would rather work from their comfy, and quiet, company vehicle which makes it much easier the next time wifi access is required, or so I've heard. ;)

    If society was really concerned about such security they would make companies, and those that profit from those companies pay far more for failure. When there can be no profits without security, no ability hide profits and cash behind deniability or claims of ignorance there will be security. Until then security is little more than an illusion waiting to be exposed. Not that it matters to those that profited, they are well insulated and may even ride back on white horses to fix the very problem they created, cost plus of course.

    I better remember to check anon. I might need that plausible deniability if someone reads this and thinks they recognize the imaginary major SCADA systems I referred to.

    1. hammarbtyp

      Re: Solution looking for a problem

      Industrial control networks are notoriously easy to compromise. because security has never been a top concern. Money, making money now, is the #1 concern, fuck what may happen in the future.

      That's not totally true. The reason why security has not been the number one concern is 3 reasons. 1) Until recently PLC's were air-gapped and therefore the risks of remote exploit was seen as low 2) They used to run proprietary OS, meaning exploits were less likely to be found 3) The processors were low power meaning things like encryption services were difficult to run on them

      However with the rise of IOT, PLCs move to linux or <shuffer> embedded windows the risks are increased and the power of low end processors mean that there is no excuse for low encryption services

      However problems remain. 1st PLC systems last for 25-30 years. Unlike a PC you cannot just rip them out. Even upgrading them is a challenge since most PLC systems are custom tuned and a simple thing like changing a timing loop could cause an issue. Customer understanding of cyber security is lagging and based on the IT world. We often get cyber security tenders which talk about running anti-virus software on PLC's, which is just not possible. There are also challenges in terms of long term maintenance and spares replacement

      Saying that things are getting better and there is a greater understanding of the threats on PLC networks and customers are taking things more seriously. If a customer requests it the industry will follow

      "Hoping to encourage the development of more robust defences for SCADA-based systems is laudable and is as old as SCADA systems themselves. No one familiar with SCADA systems think they are in difficult to hack, particularly if only to create chaos, and those concerned about technical issues have always wanted better security."

      SCADA tend to be based on windows, so the challenges are the same as for a standard PC and nothing special in terms of what is required. The weaknesses are the ones inherent in windows

      "The basic problem is that no one in charge of the money really cares about security. If they did there would be no lowest bidders, no endless traffic of poorly trained and poorly paid, untrustworthy workers with access during and after construction. Sure, sometimes, there is a pretense of security but that's all that is ever required. Far more important is completion on time and under budget. Let the future deal with any results, that'll be a different time, different crew, different CIO, CEO, different board and most importantly a different budget."

      That hasn't been my experience. Although to be fair, it has taken some education of customers to understand what and how cyber security applies within the industry

      "BTW many of those " air-gapped" SCADA systems are not. IME most get connected so the contracting company, sometimes employees, can further reduce costs by not having to travel to site or by sub-contracting work to off site companies, companies that do not have to meet site security requirements. Sometimes that wifi adapter gets install by site personnel who would rather work from their comfy, and quiet, company vehicle which makes it much easier the next time wifi access is required, or so I've heard. ;)"

      True, basically because adding security we are making their life more difficult. It is no different to the IT world where IT cyber security policy is worked around by people who just want to get the job done. Thats no excuse not to have the cyber security controls as part of the PLC, but we cannot control or be responsible if they are not used or worked around

      "If society was really concerned about such security they would make companies, and those that profit from those companies pay far more for failure. When there can be no profits without security, no ability hide profits and cash behind deniability or claims of ignorance there will be security. Until then security is little more than an illusion waiting to be exposed. Not that it matters to those that profited, they are well insulated and may even ride back on white horses to fix the very problem they created, cost plus of course."

      Not sure how that would work. Better would be to mandate that all PLC's meet a common security standard. Government contracts should start the ball rolling with this one (to be fair most defence contracts already do)

      1. Paul Crawford Silver badge

        Re: Solution looking for a problem

        "SCADA tend to be based on windows, so the challenges are the same as for a standard PC and nothing special in terms of what is required. The weaknesses are the ones inherent in windows"

        No they are MUCH worse as no one really wants to apply windows patches / 'upgrades' to industrial control systems due to the risk of causing more problems than the security aspect of not patching. And practically no one has a 2nd / spare PLC as a test/simulator to actually verify software changes before hand...

        Just look at the recent fsck-up relating to the NHS and the stories of £M medical equipment on old versions of windows because the are not certified for use with the security-essential upgrades.

  5. DCFusor

    Not a real view of how things are, Ivan

    I know someone who does industrial control setup - he does it *all* for about 10-20 large chemical plants, distilleries and so on. There is NO IT department in any of the smaller ones. Zero. So how competent a nonexistent entity is is irrelevant. They also have time according to how many there are to check stuff like anomalies in ladder logic, or apply updates at all - zero if things are working, my high paid friend as a consultant for a day at most when they stop.

    My friend is somewhat interested in security, and far more skilled in computers generally than nearly all of his ilk. He tells me there's simply no way to put in security as it's utterly politically infeasible. There's always some idiot in the C suite that wants to remote monitor their money maker during the few hours a day they're not playing golf (the plant usually runs 24/7/365), and the existing software for such things - all of it - can't do that as a read-only thing. In fact, most of it has to poll the PLC's in the plant to get the reading to display on the cool picture/flowchart of the plant. If you have to send commands to poll for data, the barn door is unlocked already.

    And of course, those same PHBs often want to see it on their laptop or phone, which is almost surely internet connected - despite all the rest being air-gapped, it's always one of those guys crossing the line and the gap...and who never admit it when things go south.

    In many ways, this is otherwise the most conservative business ever - downtime is super expensive, if it ain't broke, don't fix it, and my friend has had to replace PLCs older than himself - and he's no spring chicken. Only when a plant is relocated or otherwise rebuilt does any of this change.

    Downtime or any change can also be pretty risky when you have hundreds of thousands of gallons of flammable solvent at the boiling point in various places around the plant...you don't go in just to patch some obscure PLC that's working the safety valve on a boiler that's been running for > 10 years and only making ROI for a few of them.

    That's not great (to say the very least), but it IS the way things are now. "Ought to" is a funny concept if you've sunk a lifetime of money into something and are waiting for a payback...stupid or not, it's the way of the world. It's even worse if it's a public money with a fiduciary responsibility to the shareholders. If it blows up, they can cut and run, deflect blame with "everyone does this", but if they don't make money....it's even worse.

    1. ecofeco Silver badge

      Re: Not a real view of how things are, Ivan

      Exactly.

  6. hammarbtyp

    Question is 'why'?

    While interesting, it appears the exploit only benefit is the ability to extract data from a PLC network.

    The question is therefore what data on a PLC is worth this level of effort to extract it?

    For example there will be no credit card numbers, sensitive documents, or blackmail porn.

    It seems the researchers have said PC's are hard, hey look PLC's have microprocessors lets try it here. However even in the cyber criminal world there is a cost benefit equation and this doesn't fly. If you are going to go to tne effort of compromising a air-gapped PLC system there are far better reasons such as industrial sabotage.

    That is not to underestimate the risks to PLC and the distance the industry has to go to improve, but I will file this one under 'intresting, but not a applicable'

    1. richardcox13

      Re: Question is 'why'?

      > The question is therefore what data on a PLC is worth this level of effort to extract it?

      A PLC has the logic to choose what components are used when building a circuit to change a component designed for use in one environment (eg. military) to use components only suitable for an office environment. Suddenly supplier loses high value contracts due to using sub-standard parts.

      History has shown that one small vulnerability can often be used to open bigger ones.

    2. Nifty Silver badge

      Re: Question is 'why'?

      "there will be no credit card numbers, sensitive documents..."

      Secret recipes for process-controlled manufactured products - flow rates of each material and durations

      In piped energy/chemical transport - exact quantities flowing and when, so that's great industrial espionage

      And... is PLC logic used to control 'secure' entry systems?

  7. Mike 137 Silver badge

    airgapped?

    "infecting USB drives or laptops of third-party contractors who connect directly to the network for maintenance purposes." What a strange definition of 'airgapped'.

    1. Charles 9 Silver badge

      Re: airgapped?

      ""infecting USB drives or laptops of third-party contractors who connect directly to the network for maintenance purposes." What a strange definition of 'airgapped'."

      Well, how else can you update a system with mission-critical (or even legally-mandated) updates with code that's too complicated to hand-type (not to mention that method's error-prone). Frankly, if it has an input method, ANY input method, it can be pwned. Yet, without an update method, it can be pwned, too, due to stale code. Damned if you do, damned if you don't.

      1. elDog

        Re: airgapped?

        Exactly - any input device can be pwned, including the human operator.

        Back in the fine ole USofA D0D we would consider paper tape and then punched cards as being reasonably safe for input - who could possibly punch little holes that would cause a malfunction/disaster?

        Then we decided that 300bps wired connections were safe because it would be really hard for a foreign agent to send/receive malevolent communications.

        There was something called TEMPEST that attempted to reduce emanations from secured containers.

        Then we went to IR screening against wireless keyboard collections. Glazed and coated windows, faraday cages around laptops and electronic gizmos, scramblers and spoofers.

        In the end, the weakest communications link is right here, typing on a keyboard.

        1. Charles 9 Silver badge

          Re: airgapped?

          "In the end, the weakest communications link is right here, typing on a keyboard."

          So how does the DoD deal with it, given it's a real and proven problem (see Ed Snowden)?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021