Search This Blog

Powered by Blogger.

Blog Archive

Labels

‘Evil PLC’ Could Turn PLCs Into Attack Vectors

Claroty accomplished an Evil PLC using a ZipSlip attack against vendors (Emerson, Ovarro, B&R, GE and Xinje).

 

When one thinks of someone hacking a programmable logic controller, one usually think of the PLC as the end objective of the assault. Adversaries use other systems to get at what will eventually allow them to cause industrial damage. 

However, a Claroty Team 82 DefCon presentation asks the following question: what if someone exploited a PLC as a vector rather than the destination? The researchers feel that the "Evil PLC" attack scenario is novel: infecting every engineer who interfaces with a PLC with malicious malware. 

Claroty revealed a series of 11 additional vendor-specific vulnerabilities that would allow the attack as proof of concept. These flaws have been discovered in Ovarro TBOX, B&R (ABB) X20 System, Schneider Electric Modicon M340 and M580, GE MarkVIe, Rockwell Micro Control Systems, Emerson PACSystems and Xinje XDPPro platforms. All but the Emerson were issued CVEs. Claroty came up with the notion after trying to learn more about the opponents that attack their honeypots.

“We asked ourselves, how can we actively attack the attackers? We don't know anything about them. We cannot find them,” said Claroty director of research Sharon Brizinov. “And then we kind of had a eureka moment and we thought, okay, what if the PLC was to be weaponized?”

Claroty used a ZipSlip attack against vendors (Emerson, Ovarro, B&R, GE, and Xinje), a heap overflow against Schneider, and a deserialization attack against Rockwell to create an Evil PLC. Evil PLC, according to Claroty, would be suited for two assault scenarios. The first scenario would be if the PLC was the only entry point into a secure facility. Waiting for an engineer to connect to the PLC allows the attacker to infect the engineer's workstation. This might be sped up by encouraging an early inspection using the newfound access to the PLC.

“Once the attacker weaponized the PLC, maybe they deliberately cause a fault on the PLC. The engineer would be lured to the PLC to check what's going on with it,” said Brizinov. 

Another possibility is to take use of the large number of PLCs maintained by outside professionals. One engineer is linked to one PLC could spread malicious code across several enterprises. 

“Usually PLCs are the crown jewel. When we're talking about classic attack vectors in ICS domains we're always seeing the PLC as the endpoint, the end goal; but if we're playing with those ideas and shifting our thoughts a bit, we can we can get to new ways of how to defend and attack both networks,” Brizinov said. 
Share it:

attacks

Bugs

Cyber Attacks

Flaws

malicious

Vectors