A new reality has been injected into the security of programmable logic controllers that vendors and defenders inside the enterprise alike must contend with.
A recently published research paper out of Georgia Tech’s Georgia Institute of Technology lays out attacks against PLCs on a new frontier: via the web-based applications included with embedded web servers included in modern PLCs.
“Compromising Industrial Processes Using Web-Based Programmable Logic Controller Malware”, written by Ryan Pickren, Tohid Shekari, Saman Zonouz, and Raheem Beyah of Georgia Institute of Technology, explains new technique that avoids known means of attacking PLCs via firmware vulnerabilities or modifications of control logic. In their attack, called IronSpider, the Georgia Tech researchers instead are able to exploit commodity web vulnerabilities to access the web server’s control panel and either disrupt an automation process, damage industrial equipment, and possibly endanger operators.
On this episode of the Nexus podcast, Pickren said that vendors’ inclusion of embedded web servers within PLCs has been fairly common in recent years, and that enable remote tasks normally done with physical access using an engineering workstation, for example. Now via the web server, operators are able to change control logic and setpoints, add users, reconfigure safety settings, and more. The web-based management portal also can replace human-machine interfaces, a staple inside control rooms, that normally communicate over the Modbus protocol or a serial connection.
“Now you get web visualization files that are modern HTML5 JavaScript GUIs, and that’s what’s been used to replace the HMI,” Pickren said. “Embedded web servers have technically been around for a while, but they’ve only recently become interesting.”
This new research opens the door to attacks against PLCs that previously were accessible only to advanced attackers. Remote capabilities are also expanded; for example, attackers can now use command-and-control servers that allow malware to communicate with the outside world.
“If you look at previous attacks on industrial control systems, one of the really big hurdles that people need to overcome is that you don't typically get a command and control connection. Having a client-server setup where your malware can communicate with the outside world is something you come to expect in the IT domain,” Pickren said. “But in the industrial control systems world, that's actually very, very rare and that's because these controllers are typically on a private network. They don't get an outlet to the public internet and so you have code running on this embedded device, on a LAN somewhere that doesn't have a router or connection to a modem at all.”
Pickren also explains that his team’s attack would be difficult to detect because the traffic looks like standard https web traffic cross-origin from a browser; all of it would look like standard API usage.
“We're not actually communicating with the PLC in a way that's not expected or normal and so it does make it exceedingly challenging to detect,” he said, adding that even HMI traffic is often customized by the user to create the visualization files they need. “That code is supposed to be customized post-deployment. So It's not like the vendor could look at that code and say ‘Whoa. That's not what we wrote.’ It's supposed to be customized and so differentiating benign customized JavaScript code and malicious custom JavaScript is a really challenging problem.”
A handful of zero-day vulnerabilities were also uncovered during the course of the research and patched by the respective affected vendors. According to the paper, 80% of the global PLC market share was vulnerable to this attack. The paper also describes a framework that explains the malware lifecycle in four stages and how malicious code can target the front end of these web applications and imperil a PLC’s integrity.
“I think that this type of model is useful for not just developing your own sample malware but also analyzing ones you might find in the wild,” Pickren said of the framework. “So if in the future somebody were to realize, ‘Hey my PLC is acting funny’ and I've realized now that there's a new Javascript file being imported that I don't recognize, this type of framework should hopefully allow people to quickly analyze and understand what it's doing.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.