Shulou(Shulou.com)06/01 Report--

With the continuous progress of technology, PLC is developing towards the direction of intelligence, the number and types of interfaces are more and more, and the functions are also increasingly rich. At present, the PLC is generally based on the tailored embedded system, and the communication protocol originally located on the serial link is transferred to TCP/IP, which provides a convenient way for hackers to attack.

1. Attack through embedded system vulnerabilities

PLC mostly uses tailored real-time operating systems (RTOS), such as Linux RT, QNX, Lynx, VxWorks and so on. These operating systems are widely used in communications, military, aviation, aerospace and other highly sophisticated technology and real-time requirements. But its security problems can not be ignored. The common operating systems used by PLC are shown in Table 1.

Table 1 operating systems commonly used in PLC

Beresford et al. [1] pointed out that the Simatic PLC runs on an x86 Linux system, which means that if a load is inserted, the shell can be exploded and connected to the device. In particular, it should be noted that all programs running on PLC are run with root privileges, and once attacked by an attacker, the consequences are very serious. As shown in figure 1:

Fig. 1 blasting of shell system

Many kinds of PLC equipment software of Siemens and Schneider run on VxWorks system. Wdbrpc is the remote debugging port of VxWorks and communicates with UDP mode. The port number is 17185. The protocol is based on sun-rpc and the services provided are mainly used to support the remote interaction of the system through the integrated development environment Tornado (figure 2). According to the information published by Lighthouse Lab [2], hackers can find all the ftp and telnet login passwords in memory by dump all memory space data through the wdbrpc protocol. Further attacks that can be realized include tampering with bootline to bypass login authentication, Dump memory data to grab login passwords, and so on. The normal operation of PLC is controlled by attacking the embedded real-time operating system.

Figure 2 Tornado development environment and VxWorks system diagram

2. Attack through loopholes in PLC communication protocol

Generally common industrial control protocols contain a large number of command words, such as reading and writing data, etc. However, some of the advanced or protocol-defined custom functions often bring more threats to user security, such as the slave diagnostic commands of Modbus protocol will cause the slave device to switch to listening mode, some command words of CIP protocol can also cause the device to restart directly, and the STOP CPU function of S7 protocol will cause the PLC program to stop running. In most cases, users will only use some of the data reading functions of the protocol and the data writing functions of fixed range and fixed address when configuring the host computer, while more functions on the protocol stack will not be applied to system integration.

Langner et al. [3] pointed out that an attack can be realized without internal knowledge of the control system and programming skills. Taking advantage of the S7 protocol vulnerability, the code is injected into the configuration OB1 (equivalent to the main function), so that the PLC will first execute malicious code before each scan, and can terminate the legitimate code at any time by calling the BEC (block end condition) instruction. In the case of Stuxnet, the termination condition is based on time and industrial process.

Meixell et al. [4] pointed out that simple serial port protocols (such as Modbus and DNP3) have been included in IP datagrams, and attackers can cause serious consequences simply by constructing an IP-based control packet and sending it to PLC. Take the Modbus protocol as an example, its common main function codes are shown in Table 2 below: using the function code 0x05, all registers can be set to 1 and all valves can be opened.

Table 2 Modbus packet structure and main function codes

Tzokatziou et al. [5] pointed out that because the PLC communication protocol is plaintext transmission, and there is no authentication process for the communication object. Therefore, attackers can use the CoDeSys system to connect directly with PLC, capture the data packets of communication between them, and then directly send tampered control instructions to PLC to achieve any operation of starting and stopping PLC.

3. Implement attacks through PLC software vulnerabilities

The software system of PLC includes system monitoring software and user configuration software, the former is used to monitor the operation of the controller itself, and the latter is used to write user programs. Take Siemens PLC as an example, STEP 7 programming software is used for PLC programming, parameter setting and on-line debugging, while WinCC is mainly used for process monitoring.

A typical attack case is the 2010 Stuxnet virus attack on a nuclear power plant in Iran [6]. " The Stuxnet virus not only exploits four 0-day vulnerabilities in the windows operating system, but also exploits two vulnerabilities in Siemens WinCC. (1) there is a hard-coding vulnerability in the WinCC system, which saves the default account name and password for accessing data. Stuxnet uses this vulnerability to try to access the system's SQL database. (2) in the Step7 project that WinCC needs to use, there is a defect in the DLL loading strategy when opening the project file, which leads to a utilization way similar to "DLL preloading attack". Then Stuxnet uses its own s7otbxsx.dll to replace the s7otbxsx.dll in the Step7 software to realize the Hook of some query and read functions.

Other attacks include attacking the human-computer interface (HMI), which makes the operator lose the view. A typical attack case is the Ukrainian power grid attack in 2015 [7]. The attacker obtains the control of the workstation node, obtains the same operation interface and operation authority as the operator, and switches the PLC or changes the operation parameters through remote control, thus causing power grid failure or breakpoint. Lighthouse Lab pointed out that [8], Unity Pro is the programming software of Schneider series PLC, and the OSLoader software attached to Unity Pro can upgrade the operating system firmware of PLC. After OSLoader logs in to the device, it attempts to read the file system remotely, which enables remote uploads and downloads, and an attacker can easily bring PLC down by replacing firmware.

4. Implement attacks through PLC interconnection

The current industrial control network is developing in the direction of "one network to the end", and the industrial control system is more closely connected horizontally and vertically: the business layer can directly access the data of the control layer, and even control the equipment; devices at the same level are connected by collaborative work with each other. For PLC, PLC is mainly used for process control, and the production process is often composed of many control processes, so multiple PLC need to work together to complete a production task.

Fig. 3 using human-computer interface to attack PLC process

Radvanovsky et al. [9] pointed out that the SHINE (SHodan Intelligence Extraction) project launched in the United States is to extract information about SCADA and ICS devices (especially PLC and RTU) that can be accessed from the Internet. The SHODAN search engine works by searching for common TCP/UDP ports, as shown in Table 3:

Table 3 comparison table of common protocols and ports

Newman [10] points out that the control room in the prison is on duty to introduce viruses and worms by browsing pictures and movies online. Some prisons provide Internet access for prisoners, although they are not directly connected to the prison control and surveillance system, but they are also an accessible vulnerability. And the prison patrol car, which uses wireless signals, needs to be connected to the prison network to upload data, and is also an attack entrance.

Klick [11] pointed out on 2015 USABlackHat that PLC lacks security mechanisms and can usually upload code to these Internet-oriented PLC and use these PLC as gateways to infiltrate production networks and even corporate IT networks. Kclik uses the PLC programming language STL to write port scanners and SOCKS agents, and then uses the infected PLC to scan the local network and use it as a gateway to connect to other PLC and even infiltrate the corporate business network, as shown in figure 4:

Fig. 4 system level diagram within the company

McLaughlin [12] designed a malware for PLC, which can generate dynamic packet payload. Using this tool, attackers can attack without prior knowledge of the control system in advance, which greatly reduces the threshold of attacking PLC. First, infect one or more hosts with the generated load, then analyze the industrial process, then decode the binary file, and finally cut the generated load, upload it to PLC and run it. The specific process is shown in figure 5:

Figure 5 dynamic generation of malicious payload process

In another article [13], McLaughlin developed a tool for automatically generating PLC payloads-Sabot, which automatically identifies PLC logic controls and generates malicious PLC code, as shown in figure 6:

Fig. 6 schematic diagram of Sabot attack process

Spenneberg [14] took Siemens SIMATICA S7-1200 on 2016 Asia BlackHat as an example to demonstrate a worm that survives specifically on PLC. This worm does not need to rely on PC computers to spread, only active and running in PLC, through network scanning to find new targets (PLC), and then attack these targets and copy itself into the new PLC, and the infected PLC main program will not change. Thus, we can find the target, carry malicious payload and other attack means. Moreover, removing these worms is very difficult, and currently you can only restore the factory settings or overwrite the function block (Function Block) where the worm is located. The infection process is shown in figure 7:

Fig. 7 process of worm infecting PLC

The execution of the code is shown in figure 8:

Figure 8 malicious code execution process of worm

To sum up, the security situation of PLC is not optimistic, there are many attack paths against PLC, and the attack level is gradually deepening, so there is a long way to go to do a good job of PLC security protection.

This article is a reprinted article, the original text is reproduced from Jinri Toutiao "Science and Technology Branch of China Security Association"

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.