One of the rigs used by researchers to test their attacks
One of the rigs used by researchers to test their attacks

Two researchers presenting at the Black Hat Europe security conference in London revealed a method of infecting industrial equipment with an undetectable rootkit component that can wreak havoc and disrupt the normal operations of critical infrastructure all over the world.

The attack targets PLCs (Programmable Logic Controllers), devices that sit between normal computers that run industrial monitoring software and the actual industrial equipment, such as motors, valves, sensors, breakers, alarms, and others.

How PLCs work

PLCs are the backbone of ICS/SCADA systems (Industrial Control Systems / Supervisory Control And Data Acquisition). They allow human operators to control and adjust the operation of industrial equipment in remote locations.

PLCs are nothing more than environmentally-hardened embedded systems that run a very limited operating system. At the hardware level, PLCs are controlled by a SoC (System-on-Chip), which manages electrical signals acquired from input lines and sent out via output connections (the I/O interface). The SoC also manages the PLC's pins, the connectors which function as input and output lines.

The research team, made up of Ali Abbasi from the University of Twente, the Netherlands, and Majid Hashemi, an engineer at Quarkslab (France), has targeted the PLC's I/O pin system.

They say their attack uses techniques for which regular ICS/SCADA security software does not look out for.

How the attack works

Classic attacks rely on modifying the device's firmware, its configuration parameters, or the execution flow of running processes. These attacks trigger interrupts in the PLC's normal mode of operation, which the security software picks up and alerts the human operator.

The researchers said their attack targets the PLC's dynamic memory, where the device stores its pin configuration, which is a table that stores a list of pins that function as input lines, and a list of pins that work as output lines.

By altering I/O pin configurations, an attacker can fake data coming from sensors, which can fool the PLC's internal logic component, or the human operator, into taking actions that they would take only in critical situations.

Furthermore, the attacker could alter the position of output pins, and prevent operators from controlling the device, or the PLC from automatically shutting down a valve, for example, when temperatures reach critical values.

"For example, an adversary may manipulate the value of tank pressure sensors in a pressure sensitive boiler thus leading to the explosion of the boiler," researchers write in their paper.

Attack can render critical infrastructure useless

The abuse scenarios are endless and can lead to fatal situations. PLCs are often deployed in the critical infrastructure of all nations all over the globe, such as electric grids, emergency systems, water supply, and others.

Researchers said that their attack relies on getting root privileges on the PLC's operating system, which also implies achieving some sort of remote code execution state via a PLC firmware vulnerability. This allows the attacker to write a Loadable Kernel Module (LKM), which is a dynamic method of loading new code in the OS kernel without causing interrupts, every time the PLC reboots, working as a de-facto rootkit.

In case an attacker can't find flaws to exploit in PLCs, the researchers said they experimented with a second attack that doesn't rely on root privileges but will inflict less damage.

One of the rigs used by researchers to test their attacks
One of the rigs used by researchers to test their attacks

The researchers are also honest about their work. Abbasi and Hashemi say that their attack is extremely complicated to put together and classic attacks are much easier to carry out.

Because ICS/SCADA security software is not present in all industrial systems just yet, most threat actors will choose the simpler methods.

Nevertheless, a state-sponsored actor would be willing to invest serious time and resources into developing and deploying attacks based on this newer method, just for the benefit of keeping their attack vector a secret as long as possible.

The research team has not named any vendors that develop and market PLCs vulnerable to their attack since the team only wants to raise awareness to a future attack vector that could be mitigated in future versions of PLC designs and ICS security software.

In the past year, security researchers have focused their work on ICS/SCADA equipment by developing a proof-of-concept self-spreading worm named PLC-Blaster. Threat actors have also deployed new PLC malware called Irongate.

We can learn about the dangers of ICS/SCADA malware from recent events. The infamous Stuxnet virus was created to target the PLCs used at Iranian nuclear material enrichment facilities, altering sensor data in order to fool centrifuges into tearing themselves apart.