Why bother cracking PCs? Spot o' malware on PLCs... Done. Industrial control network pwned

Jumping the air gap

Security researchers have demonstrated a new technique for hacking air-gapped industrial control system networks, and hope their work will encourage the development of more robust defences for SCADA-based systems.

Air-gapped industrial networks are thought to be difficult if not impossible to hack partly because they are isolated from the internet and corporate IT networks. However, in practice there are multiple ways that attackers can deploy malware on such a network, including compromising vendor update mechanisms or infecting USB drives or laptops of third-party contractors who connect directly to the network for maintenance purposes.

During a presentation at the Black Hat Europe conference in London, UK, last week, researchers from CyberX ran through a scenario involving the initial deployment of malware that discovered the topology of an air-gapped network, the specific types of industrial devices connected into the system (as with the CrashOverride malware used in the 2016 Ukrainian grid attack), and perhaps sensitive documents the malicious code hoovers up along the way.

Even if this reconnaissance phase works like a charm, hackers are still left with the tricky problem of how to get their hands on this sensitive information.

Crims shut off Ukraine power in wide-ranging anniversary hacks


Previous work has shown how to exfiltrate data from air-gapped networks using RF signals emitted from PCs. That’s not ideal because persistent PC-based malware has a high probability of being detected.

The CyberX team went into the problem from a completely different direction by focusing on infecting Programmable Logic Controllers (PLCs), the building blocks of industrial control systems. PLCs have limited CPU/memory and run embedded real-time operating systems.

CyberX demonstrated how to inject specially-crafted ladder logic code into a Siemens S7-1200 PLC. The code uses memory copy operations to generate frequency-modulated RF signals slightly below the AM band (340kHz-420kHz), with the modulation representing encoded data.

The emitted RF signals are a byproduct of repeatedly writing to PLC memory in a specific way.

Once transmitted the signal can be picked up by a nearby antenna before been decoded using a low-cost Software-Defined Radio (SDR) and a PC. “The receiving equipment can be located just outside the facility or even mounted on a drone flying overhead,” according to CyberX.

power grid systems

The CyberX SCADA hack rig

The data exfiltration method does not rely on any vulnerability or design flaw in the Siemens PLC - this particular model and brand was simply chosen because it is widely used in the industry. The same approach might work on other kit, although this has not been tested. CyberX goes on to provide advice on how this potential attack might be mitigated.

Organisations can prevent these types of attacks with continuous monitoring and behavioural anomaly detection. For example, this approach would immediately detect the cyber reconnaissance phase preceding data exfiltration – such as devices scanning the network and querying devices for configuration information – as well as unauthorised updates to PLC ladder logic code to deploy the specially-crafted code to generate encoded RF signals.

The Black Hat presentation, entitled Exfiltrating Reconnaissance Data from Air-Gapped ICS/SCADA Networks, feature a live demo. Only very low data rates in the range of bits per second were achieved in the demo. In response to questions, CyberX researchers said that this data rate might be increased by using harmonics and other techniques designed to increase the bandwidth of transmissions.

The research - presented by CyberX’s David Atch and George Lashenko - focused on how to exfiltrate reconnaissance data after a successful intrusion to an air-gapped industrial control network, one phase of a potential attack.

“There are multiple ways that attackers can deploy reconnaissance malware to an air-gapped network, including compromising vendor update mechanisms via a water-holing attack (as in the original Dragonfly/Havex campaign, where three trusted ICS vendors had their software updates compromised by the Havex Trojan); infecting USB drives or laptops of third-party contractors who connect directly to the air-gapped network for maintenance purposes (as in Stuxnet); or by posting malicious ladder logic code to code-sharing repositories that gets downloaded by engineers who are looking to save development time,” according to CyberX.

Industroyer/CrashOverride also showed that it is now possible for malware to autonomously gather reconnaissance data about the environment, such as the models and configurations of installed equipment,” it added. ®

Other stories you might like

Biting the hand that feeds IT © 1998–2021