Security vendor CyberX is to demonstrate how to jump the industrial control system (ICS) air gap at Black Hat Europe this week. The attack targets Programmable Logic Controllers (PLCs) which are widely used in manufacturing, especially in robotic assembly lines. By targeting PLCs the attackers can bypass existing IT security solutions.
According to David Atch, VP of Research for CyberX: “Organizations often have a false sense of security if their networks are air-gapped, or isolated from the Internet. This exploit demonstrates that even truly air-gapped networks are vulnerable to targeted attacks by determined adversaries.
“It’s also important to note that the exploit doesn’t rely on any security vulnerabilities or design flaws in the PLC itself, but rather, exploits inherent ‘insecure by design’ aspects of most industrial protocols in use today, such as weak or no authentication, which make it easier to upload malicious code into PLCs.”
How does the attack work?
The details of the attack will be made public on Thursday along with the code that CyberX has developed. It works by using ladder logic, the programming language used by many PLCs. This is a fairly rudimentary language developed for engineers rather than programmers. As such it would be a simple job for an attacker to learn.
The attacker does rely on the attackers getting their modified logic ladder code onto the air gapped PLCs. CyberX says it will show how that can be achieved during its live demonstration on Thursday. Once the code is on the PLCs it exfiltrates data using radio signals. Those signals can be picked up using a simple AM radio and decoded easily on a PC.
This would allow the attackers to gain information about the design, data and passwords used by the ICS systems. That data would then be used to craft more serious attacks. These could include shutting down robotic production lines or taking out critical national infrastructure (CNI). The latter would include shutting down water pumps at power stations or water works.
Why attack a ICS PLC rather than a PC?
A lack of security. A long term attack against ICS PLCs running on a local PC would run the very real risk of being detected by local security software. The exfiltration of any data is also a challenge as there is a risk of it being detected. PLCs have limited processing power and memory. As a result, no vendor has or wants to attempt to create local security software for them. Very few even rely on the use of signed code or a method of validating software updates. All of this leaves them vulnerable to attacks.
What does this mean?
There are several issues with this attack. The first is how much will CyberX really expose. Will they show how they attack the software update process to get the ladder code onto the PLCs? Will they provide enough code snippets during the presentation to allow a hacker to walk away and build their own exploit? How transferrable will the attack be to other groups of PLCs outside those they are using in the demonstration? All of this will become clear on Thursday when CyberX deliver their session at Black Hat Europe.
Despite these questions there are some serious issues here. The reliance on air gap systems to provide security has, once again, been shown to be a false measure of security. While the skills required by the hackers are different to just slamming PCs with malware and phishing attacks, they are not difficult to obtain. Those who would look to make such attacks are also a different category of hacker. They are not looking for a quick cryptocurrency payday. Instead they are looking to make a more serious political point or to cause damage.
It will be interesting to see how the ICS PLC industry responds to this attack.