Traditional forensics on programmable logic controllers (PLCs) generally relies on extracting logs from Windows-based engineering workstations and other information from systems on the enterprise network.
Extracting artifacts from the PLC itself is a tougher proposition, given the proprietary nature of these operational technology (OT) devices, especially the protocols over which they communicate.
In this episode of the Nexus Podcast, Claroty Team82 researcher Noam Moshe explains the challenges involved in gathering attack artifacts from OT devices, in this case, Unitronics PLCs that were exploited in 2023 in attacks against water facilities in the U.S. and Israel.
Unitronics’ Vision line of PLCs are integrated HMI/PLC devices that control numerous physical processes within water treatment facilities and other industries. In the attacks last year, a group known as the CyberAv3ngers, believed to be linked to Iranian state-sponsored activity, defaced devices at the affected facilities.
In most cases, the devices were directly connected to the internet, lacking any measure of authentication, which greatly facilitated these attacks.
During this discussion, Moshe explains how this threat actor’s actions were largely meant to demonstrate their access to the PLCs, and instill some fear and chaos, rather than a direct manipulation of water quality or availability.
Team82 researched these affected devices, in particular the PCOM protocol developed by Unitronics for communication between the assets and engineering workstations. Two forensics tools were developed for this research project that allowed Team82 to not only connect to the PLCs, but also extract information about the attackers’ activities, including dates and times these illicit connections were made, system information, keyboard configurations, and more.
Unitronics has addressed the vulnerability disclosed by Team82. Both forensic tools are freely available on Team82’s GitHub page.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.