Why bother cracking PCs? Spot o' malware on PLCs... Done. Industrial control network pwned

Jumping the air gap

Security researchers have demonstrated a new technique for hacking air-gapped industrial control system networks, and hope their work will encourage the development of more robust defences for SCADA-based systems.

Air-gapped industrial networks are thought to be difficult if not impossible to hack partly because they are isolated from the internet and corporate IT networks. However, in practice there are multiple ways that attackers can deploy malware on such a network, including compromising vendor update mechanisms or infecting USB drives or laptops of third-party contractors who connect directly to the network for maintenance purposes.

During a presentation at the Black Hat Europe conference in London, UK, last week, researchers from CyberX ran through a scenario involving the initial deployment of malware that discovered the topology of an air-gapped network, the specific types of industrial devices connected into the system (as with the CrashOverride malware used in the 2016 Ukrainian grid attack), and perhaps sensitive documents the malicious code hoovers up along the way.

Even if this reconnaissance phase works like a charm, hackers are still left with the tricky problem of how to get their hands on this sensitive information.

Crims shut off Ukraine power in wide-ranging anniversary hacks


Previous work has shown how to exfiltrate data from air-gapped networks using RF signals emitted from PCs. That’s not ideal because persistent PC-based malware has a high probability of being detected.

The CyberX team went into the problem from a completely different direction by focusing on infecting Programmable Logic Controllers (PLCs), the building blocks of industrial control systems. PLCs have limited CPU/memory and run embedded real-time operating systems.

CyberX demonstrated how to inject specially-crafted ladder logic code into a Siemens S7-1200 PLC. The code uses memory copy operations to generate frequency-modulated RF signals slightly below the AM band (340kHz-420kHz), with the modulation representing encoded data.

The emitted RF signals are a byproduct of repeatedly writing to PLC memory in a specific way.

Once transmitted the signal can be picked up by a nearby antenna before been decoded using a low-cost Software-Defined Radio (SDR) and a PC. “The receiving equipment can be located just outside the facility or even mounted on a drone flying overhead,” according to CyberX.

power grid systems

The CyberX SCADA hack rig

The data exfiltration method does not rely on any vulnerability or design flaw in the Siemens PLC - this particular model and brand was simply chosen because it is widely used in the industry. The same approach might work on other kit, although this has not been tested. CyberX goes on to provide advice on how this potential attack might be mitigated.

Organisations can prevent these types of attacks with continuous monitoring and behavioural anomaly detection. For example, this approach would immediately detect the cyber reconnaissance phase preceding data exfiltration – such as devices scanning the network and querying devices for configuration information – as well as unauthorised updates to PLC ladder logic code to deploy the specially-crafted code to generate encoded RF signals.

The Black Hat presentation, entitled Exfiltrating Reconnaissance Data from Air-Gapped ICS/SCADA Networks, feature a live demo. Only very low data rates in the range of bits per second were achieved in the demo. In response to questions, CyberX researchers said that this data rate might be increased by using harmonics and other techniques designed to increase the bandwidth of transmissions.

The research - presented by CyberX’s David Atch and George Lashenko - focused on how to exfiltrate reconnaissance data after a successful intrusion to an air-gapped industrial control network, one phase of a potential attack.

“There are multiple ways that attackers can deploy reconnaissance malware to an air-gapped network, including compromising vendor update mechanisms via a water-holing attack (as in the original Dragonfly/Havex campaign, where three trusted ICS vendors had their software updates compromised by the Havex Trojan); infecting USB drives or laptops of third-party contractors who connect directly to the air-gapped network for maintenance purposes (as in Stuxnet); or by posting malicious ladder logic code to code-sharing repositories that gets downloaded by engineers who are looking to save development time,” according to CyberX.

Industroyer/CrashOverride also showed that it is now possible for malware to autonomously gather reconnaissance data about the environment, such as the models and configurations of installed equipment,” it added. ®

Similar topics

Other stories you might like

  • VMware claims ‘bare-metal’ performance from virtualized Nvidia GPUs
    Is... is that why Broadcom wants to buy it?

    The future of high-performance computing will be virtualized, VMware's Uday Kurkure has told The Register.

    Kurkure, the lead engineer for VMware's performance engineering team, has spent the past five years working on ways to virtualize machine-learning workloads running on accelerators. Earlier this month his team reported "near or better than bare-metal performance" for Bidirectional Encoder Representations from Transformers (BERT) and Mask R-CNN — two popular machine-learning workloads — running on virtualized GPUs (vGPU) connected using Nvidia's NVLink interconnect.

    NVLink enables compute and memory resources to be shared across up to four GPUs over a high-bandwidth mesh fabric operating at 6.25GB/s per lane compared to PCIe 4.0's 2.5GB/s. The interconnect enabled Kurkure's team to pool 160GB of GPU memory from the Dell PowerEdge system's four 40GB Nvidia A100 SXM GPUs.

    Continue reading
  • Nvidia promises annual datacenter product updates across CPU, GPU, and DPU
    Arm one year, x86 the next, and always faster than a certain chip shop that still can't ship even one standalone GPU

    Computex Nvidia's push deeper into enterprise computing will see its practice of introducing a new GPU architecture every two years brought to its CPUs and data processing units (DPUs, aka SmartNICs).

    Speaking on the company's pre-recorded keynote released to coincide with the Computex exhibition in Taiwan this week, senior vice president for hardware engineering Brian Kelleher spoke of the company's "reputation for unmatched execution on silicon." That's language that needs to be considered in the context of Intel, an Nvidia rival, again delaying a planned entry to the discrete GPU market.

    "We will extend our execution excellence and give each of our chip architectures a two-year rhythm," Kelleher added.

    Continue reading
  • Now Amazon puts 'creepy' AI cameras in UK delivery vans
    Big Bezos is watching you

    Amazon is reportedly installing AI-powered cameras in delivery vans to keep tabs on its drivers in the UK.

    The technology was first deployed, with numerous errors that reportedly denied drivers' bonuses after malfunctions, in the US. Last year, the internet giant produced a corporate video detailing how the cameras monitor drivers' driving behavior for safety reasons. The same system is now apparently being rolled out to vehicles in the UK. 

    Multiple camera lenses are placed under the front mirror. One is directed at the person behind the wheel, one is facing the road, and two are located on either side to provide a wider view. The cameras are monitored by software built by Netradyne, a computer-vision startup focused on driver safety. This code uses machine-learning algorithms to figure out what's going on in and around the vehicle.

    Continue reading

Biting the hand that feeds IT © 1998–2022