Researchers demonstrate a proof of concept where hijacked programmable logic controllers can compromise engineering workstations to allow lateral movement.

cyber security
Credit: Dreamstime

Most attack scenarios against industrial installations, whether in manufacturing or in critical infrastructure, focus on compromising programmable logic controllers (PLCs) to tamper with the physical processes they control and automate. 

One way to get malicious code running on PLCs is to first compromise a workstation that engineers use to manage and deploy programs on them, but this can be a two-way street: A hijacked PLC can also be used to compromise engineering workstations, and this opens the door to powerful lateral movement attacks.

In a new paper released over the weekend, researchers from industrial control systems (ICS) cybersecurity firm Claroty documented proof-of-concept “Evil PLC Attacks” against engineering software from seven ICS manufacturers: Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO, and Emerson.

“The attack targets engineers working every day on industrial networks, configuring and troubleshooting PLCs to ensure the safety and reliability of processes across critical industries such as utilities, electricity, water and wastewater, heavy industry, manufacturing, and automotive, among others,” the researchers said.

From malicious bytecode to malicious metadata

A PLC is essentially an embedded computer that controls machinery, a physical process, or a production line. It has its own CPU and runs a real-time operating system (RTOS) with vendor modifications and a bytecode interpreter. 

Engineers monitor and program PLCs from computers connected to them by using specialised engineering software that can be used to write the logic code, compile it to a format the PLC interpreter understands and deploy it.

Along with the compiled bytecode, also known as the ladder logic, the PLCs store a full copy of the developed project, including metadata such as program names and symbols, configuration files for hardware and network, memory mappings, I/O settings, variable declarations, parameters, and the source-code that the engineers developed. 

The PLC technically doesn’t need all this additional information to function, but it is stored there so that any other engineer connecting to the PLC can obtain a full copy of the project running on it so they can debug it or change it.

This means engineering software not only sends data to PLCs but also reads a lot of data back and parses it. Historically parsing data in different formats has been the source of many memory vulnerabilities and this case is no exception. 

In fact, the researchers argue that this proprietary software was not designed under the premise that the PLCs they connect to and their stored data can be fully trusted, so they lack many of the security checks for data parsing that a modern desktop application would have.

That doesn’t mean that finding vulnerabilities is easy since every vendor uses its own proprietary communication protocol to write and read data from their PLCs and the project files are stored using different packaging formats, some of them also proprietary. 

The researchers had to reverse-engineer these protocols and file formats for each of the analysed engineering software so they could understand what and how an attacker could modify it on the PLC to attack the connecting workstation.

This resulted in vulnerabilities being discovered and reported in:

  • TwinSoft, the engineering software used for OVARRO’s TBOX Platform
  • Automation Studio used for B&R’s (ABB) X20 System
  • EcoStruxure Control Expert (Unity Pro) used for Schneider Electric’s Modicon PLCs
  • ToolBoxST used by GE’s MarkVIe platform
  • Connected Components Workbench (CCW) used by Rockwell Automation’s Micro Control Systems PLC
  • PAC Machine Edition used by Emerson’s PACsystems
  • The XD PLC Program Tool used by Xinje’s XDPPro

The flaws ranged from path traversals to heap overflows and unsafe deserialisations, all resulting in arbitrary code execution on the engineering machine.

“For each target/platform we tried to understand the whole download/upload mechanism by reverse engineering the firmware and the engineering workstation software,” the researchers said in their paper. 

“Our goal was to find discrepancies between what the PLC is using and what engineering workstation is using. If we were to find such inconsistencies, we could weaponise the PLC through a malicious download procedure to store a specifically crafted piece of data that won’t affect the PLC, but when parsed by the engineering platform it will trigger and exploit a vulnerability.”

Lateral movement the biggest risk

The most obvious goal of such an attack is lateral movement inside an organisation’s OT (operational technology) network to achieve persistence. Attackers could compromise one engineering workstation that has not been isolated from the organisation’s general IT network or could even use an insider to plant malware on it.

For example, the Stuxnet worm that was used to destroy uranium enrichment centrifuges inside Iran’s Natanz nuclear plant is believed to have been deployed by an insider who worked as a mechanic for a third-party company doing work at the plant. Once deployed on a machine inside, the worm found its way to the PLCs controlling the centrifuges using a chain of zero-day exploits and sophisticated techniques.

Not all attackers might have Windows zero-day exploits available to build stealthy and sophisticated malware like Stuxnet, so they might need another way to spread through the network once they manage to infect a single workstation or poisoning the project files on a PLC is one way to do it.

PLCs can also be compromised remotely because many of them are connected to the internet through various remote management interfaces. According to scans on Shodan there are tens of thousands of SCADA and PLC devices connected to the internet. 

In April 2020, attackers managed to remotely gain access to systems used to control water treatment in Israel. In 2021, a similar attack impacted Oldsmar water treatment facility in Florida.

“Our research suggests that attackers could use the internet-facing PLCs as a pivot point to infiltrate the entire OT network,” the Claroty researchers said. 

“Instead of simply connecting to the exposed PLCs and modifying the logic, attackers could arm these PLCs and deliberately cause a fault that will lure an engineer to them. The engineer, as a method of diagnostics, will perform an upload procedure that will compromise their machine. The attackers now have their foothold on the OT network.”

The lateral movement through an Evil PLC attack can even happen across organisations because many companies rely on third-party system integrators or contractors to manage their PLCs, especially those deployed in remote locations. 

If attackers compromise such a PLC in a less secure location and know that it’s being serviced by a systems integrator or contractor, they could trigger a fault in the PLC to lure the traveling engineer to it and then compromise their computer. That engineer is likely to then connect to the OT networks of other organisations and spread the malicious payload.

On the other hand, the same attack vector could be turned against would-be attackers in a honeypot-like scenario where researchers or organisations could intentionally leave a weaponised PLC exposed to the internet and see if attackers target it. Since attackers have to use the same engineering software to interact with the PLC, their own machines could be exposed.

“This method can be used to detect attacks in the early stage of enumeration and might also deter attackers from targeting internet-facing PLCs since they will need to secure themselves against the target they planned to attack,” the Claroty researchers said.

Mitigating Evil PLC Attacks

All the vulnerabilities found by the Claroty researchers have been reported to the impacted manufacturers, who released patches or mitigation instructions. However, deploying patches inside OT networks can be a slow process. The researchers recommend that organisations deploy client authentication mechanisms where available, so that the PLC verifies the identity of every engineering workstation connecting to it and can accept connections from only specific systems.

Network segmentation and hygiene where different segments of the network that don’t need to talk to each other are isolated is also very important. Enabling traffic encryption and public-key authentication between PLCs and engineering workstations, where available, is also a good practice as well as general network traffic monitoring for suspicious connections.


New genetic variation from old and exotic varieties for environmentally friendly wheat cultivation

In addition to the almost 9,000 winter wheat accessions, the scientists also grew elite varieties in the trial field and investigated resistance to yellow rust, among other traits. Credit: IPK Leibniz Institute/ C. Martin Gene banks worldwide make an important contribution to the conservation of biological diversity. In the ...

View more: New genetic variation from old and exotic varieties for environmentally friendly wheat cultivation

Multi-organ chip detects dangerous nanoparticles

Computational grid for thermal simulation with a magnified representation of the NanoCube exposure device. The aerosol sections are in yellow, the other sections are either components or air sections. Credit: Fraunhofer SCAI What happens when we breathe in nanoparticles emitted by, for example, a laser printer? Could these nanoparticles ...

View more: Multi-organ chip detects dangerous nanoparticles

Bad roads reduce trade volumes by 18%

Distance versus travel time in intra- and international bilateral links. Notes: Average excess distance is the %-ratio between road distance and great circle distance, both in km. Avg. road speed denotes the average travel speed on the fastest road connection, in km/h, while avg. direct speed refers to the ...

View more: Bad roads reduce trade volumes by 18%

New online portal aims to improve parks and green spaces around the world

Credit: Pixabay/CC0 Public Domain The Parks & Green Space Research Portal promotes collaboration and shared research between academics and parks professionals worldwide. The portal—a collaboration between the Department of Landscape Architecture, University of Leeds, the Green Flag Award scheme and environmental charity Keep Britain Tidy—enables users to exchange expertise ...

View more: New online portal aims to improve parks and green spaces around the world

Manufacturing microscopic octopuses with a 3D printer

Smart polymers with “life-like” properties: due to dynamic chemical bonds the micrometric 3D structures can grow eight-fold in just a few hours and harden. Scale: 20 micrometers (µm). Credit: Christoph Spiegel (Heidelberg University). Adapted from Y. Jia et. al, Adv. Funct. Mater. 2022, 2207826 (CC BY 4.0) Although just ...

View more: Manufacturing microscopic octopuses with a 3D printer

Protein family shows how life adapted to oxygen

The catalytic fold of the ribonucleotide reductase (RNR) family is a unique 10-stranded ɑ/β barrel, consisting of 10 β-strands (light green) and 8 ɑ-helices (light blue). (A) Each half of the barrel contains a five-stranded parallel β-sheet (βA-βE and βF-βJ) that is arranged in anti-parallel orientation with respect to ...

View more: Protein family shows how life adapted to oxygen

Driving high? Chemists make strides toward marijuana breath analyzer

The researchers’ THC-powered fuel cell sensor, with its H-shaped glass chamber. Credit: Evan Darzi A UCLA chemist and colleagues are now a step closer to their goal of developing a handheld tool similar to an alcohol Breathalyzer that can detect THC on a person’s breath after they’ve smoked marijuana. ...

View more: Driving high? Chemists make strides toward marijuana breath analyzer

Alain Aspect, Nobel-winning father of quantum entanglement

Alain Aspect, one of three physics Nobel winners, helped pave the way for what he calls the ‘second quantum revolution’ Alain Aspect, who won a long-expected Nobel Physics Prize on Tuesday, not only helped prove the strange theory of quantum entanglement but also inspired a generation of physicists in ...

View more: Alain Aspect, Nobel-winning father of quantum entanglement

Reports say the CIA is trying to resurrect woolly mammoths

Hackers are breaching scam sites to hijack crypto transactions

Businesses Move to Combat Waning Customer Loyalty with Pre-Emptive Service Technology, Says Pega Study

Is your business ready for web 3.0?

Pentest People launches SecurePortal 2.0, expands PTaaS and hires senior Incident Response specialist

Why emergency landing site evaluation for autonomous aircraft systems is a data problem

Lack of digital skills is jeopardising UK business growth, AND Digital reveals

Swedish-based SaaS platform partners with travel risk intelligence company 

Jigsaw24 relocates London office to foster better client collaboration as it looks to the next stage of its 30 year growth journey

Introducing Tenable One: Industry-First Exposure Management Platform

Dynatrace Launches Grail for Boundless Observability, Security, and Business Analytics

A look inside Amazon's new Minnesota facility: Prayer rooms, ablution stations and 'Chutes and Ladders'


Top Car News Car News