Series of articles：
Everyone is familiar with traditional WEB security, such as common SQL, XSS, upload, command execution and so on. So for attacks on industrial controllers, in addition to unauthorized access, control command replay, and denial of service, what other attack methods do you know?
With the introduction of the industry 4.0 concept of “Internet + Manufacturing”, the independent and isolated traditional industrial control field ushered in a new era of big data interconnection-Industrial Internet. At the same time, the issue of industrial control safety has gradually attracted attention. In turn, many new attack gestures have been derived, such as: industrial control Socket proxy, industrial control worm, industrial control logic**, industrial control ransomware, industrial control radio, industrial control payload distribution and so on.
Today we will introduce these methods so that everyone has a comprehensive understanding of the attack methods of industrial control systems. At the same time, we also hope that more people can give opinions and suggestions and learn from each other.
Industrial Control Socket Agent
The Industrial Control SOCKET agent is the first attack method we proposed and successfully verified. The attack framework has been published on github and has been cited and re-developed by many people. Github address: https://github.com/w3h/isf.
Below we briefly introduce the realization ideas of industrial control SOCKET agent, please read: http://www.icsmaster.org/archives/ics/690 for details.
The agent believes that everyone is already familiar with it. Can the industrial control equipment exposed on the Internet be used as a springboard to attack the intranet? The answer is yes.
The above figure is a schematic diagram of an industrial control network. There are many PLCs in the internal network, and a firewall is deployed on the path connecting with the external network to prevent the PLC from being exposed to the external network. But some PLCs will connect to the external network through port mapping, and only open fixed ports. For example, for PLC A in the figure, one of its ports can be accessed by the external network, but other PLCs cannot be directly accessed without port mapping.
At this time, if we can inject a special program into PLC A, let it become a proxy server and connect to our attacking host through a reverse connection. In this way, we are on the same network as PLC A, and of course we can access other devices (or systems) in the intranet.
Attack display diagram:
Industrial Control Worm
An industrial control worm attack is an industrial control worm virus that does not rely on computers but only attacks and spreads through PLC equipment like Siemens, which can bypass the current network security defense system.
First, the attacker writes the worm into the target PLC device by attacking the target PLC device, and then attempts to establish a connection through Siemens communication port 102. If the connection is established successfully, it checks whether the target PLC is infected. If the connection is not established successfully, or the target PLC has been infected, select a new IP and try to establish the connection again. If the target PLC is not infected, stop the target PLC, download the virus program, and finally restart the target PLC. The process is shown in the figure below.
The biggest feature of the virus is that it performs propagation and other control operations without affecting the normal work flow of the PLC equipment.
For details, please visit: http://www.icsmaster.org/archives/ics/500
Industrial control logic**
In industrial control systems, programmable logic controllers (PLCs) are usually used for direct interaction with sensors and actuators and for automatic control. The PLC software runs on two different layers, the firmware layer (ie OS) and the control logic layer (by processing sensor values to determine control behavior).
Ladder logic** (LLB) refers to malware written in ladder diagram (or other IEC 61131-3 compatible languages). The malware injects the attacker into the existing control logic on the target PLC, changes the control action or waits for a specific trigger signal to activate the malicious behavior. Attackers can use LLB to tamper with a series of malicious operations such as legal sensor readings.
The method of physically upgrading the firmware is subject to the verification of the firmware certificate. The firmware with malicious code cannot use the original certificate, and the self-contained certificate cannot be correctly identified, so the method of physically replacing the firmware is not feasible.
Although the method of updating the PLC firmware through digital signatures does not work, the actual logic executed on the PLC is not protected by this measure, and the lack of safety checks and certifications before downloading the new logic to the PLC causes this situation main reason.
For details, please visit: http://www.icsmaster.org/archives/ics/541
Industrial Control Ransomware
Here http://www.icsmaster.org/archives/ics/503 introduces in detail the first ransomware LogicLocker for programmable logic controllers (PLC) developed by Georgia Institute of Technology cybersecurity experts, using Schneider Modicon The original API interface of the M241 device scans the devices with known security vulnerabilities in the internal network of the industrial control system, breaks the security mechanism through infection and bypass, locks the legitimate users of the device, and sets logic that threatens physical and personal safety in the program* *, as a ransom for extortion.
Through our research, we found that there are many such ransomware viruses. The more famous ones are: ClearEnergy and Scythe. Among them, ClearEnergy can affect the equipment of many manufacturers, such as: Schneider Electric, AB, General Electric (GE) and other manufacturers. Unlike ClearEnergy’s attack on programmable logic controllers (PLCs), Scythe attacks SCADA devices. The attack relies on firmware verification bypassing vulnerabilities, which can be used to replace malware with legitimate firmware.
Industrial Control Radio
The attack technique discovered by CyberX in 2017 relies on PLCs and their radio frequency signals. Researchers chose to test on Siemens S7-1200 PLC, but experts believe that this attack may also be implemented on PLCs of other manufacturers. The data extraction method discovered by CyberX does not take advantage of any security vulnerabilities and design flaws in PCL, and the technology does not involve the radio frequency function of the device itself. On the contrary, the radio frequency signal sent by the device is a by-product of repeatedly writing data to the PLC memory.
Researchers analyzed the radio waves emitted by this system and found that the frequency of the radio waves changes when data is written to the device’s memory. If attackers can modify this frequency, they can extract data bit by bit. Among them, one frequency represents “0”, and the other frequency represents “1”. These signals can be captured by antennas set up nearby, and the data can be decoded using software-defined radio.
During the test, CyberX researchers succeeded in extracting data at a rate of 1 bit per second through an off-the-shelf antenna from a distance of about one meter. At the same time, researchers believe that if high-power antennas are used, this distance can be farther, and if the signal processing algorithm is improved, the data transmission rate can be further improved.
Industrial Control Payload Distribution
Industrial control payload distribution is a way of injecting the payload into the industrial control equipment, and then executing the attack script by making the target machine accessible. The attack steps are as follows:
1. The attacker searches the Internet for a PLC with enough space to store the payload. Modbus devices with dozens of KB of memory are easy to find.
2. The attacker uploads the payload to the memory of the PLC.
3. The attacker infects a host with a dropper, then uses the stager to “communicate” with Modbus, downloads and executes the stage from the PLC.
The advantages of using PLC holding registers to store payload are as follows:
1. Since a third-party PLC is used, it has good anonymity and it is very difficult to track. No need to upload the payload to the server.
2. Since the payload is stored in the PLC’s memory, it increases the difficulty of forensic analysis. In addition, once the payload is taken out, its content can be easily overwritten (even the stager itself can do this).
3. The current traditional information security defense system is bypassed because it does not recognize industrial control protocols, which is inherently concealed.