PLCHijacking | Cyber Attack Proof of Concept
in Critical Infrastructure, SCADA and ICS

September 25, 2018 | Written by: Erran Goldstein

#PLCHijacking, #CRITIFENCE, #Cyber, #Security, #cybersecurity, #SCADA, #ICS, #OT, #IioT, #CI, #Critical, #Infrastructure, #criticalinfrastructure



PLCHijacking / PLCDisconnect Proof of Concept (PoC) demonstrate the operation of an advanced cyber attack vector which aims to silently manipulate the proper production automation process in Critical Infrastructure, SCADA and ICS.

In recent years the use of different detection methodologies and detection techniques in critical infrastructure and SCADA systems is noticeably growing. These methodologies are a merge between protection of physical components and different communication layers - While other methodologies are based on anomaly detection within processes in different SCADA systems and OT networks. As a result of the development of these protection and detection capabilities, one can also see the development of different types of cyber-attack vectors which combine advanced clandestine techniques and lateral movement within the OT networks and SCADA systems in Critical Infrastructure.

PLCHijacking / PLCDisconnect Proof of Concept (PoC) demonstrate the operation of an advanced cyber attack vector which aims to silently manipulate the proper production automation process. The following scenario is a combination of three phases and based on conversion of several vulnerabilities which were discovered earlier this year by CRITIFENCE’s Critical Infrastructure and SCADA/ICS Cyber Threats Research Group (and an additional 0-day vulnerability):


  • Schneider Electric Modicon Modbus Protocol (ICSA-17-101-01)
  • Authentication Bypass by Capture-Replay (CVE-2017-6032)
  • Violation of Secure Design Principles (CVE-2017-6034)
  • Important Cyber Security Notification - Modicon Family of PLCs (SEVD-2017-065-01)
  • Network Configuration Bypass Vulnerability (CVE-2018-7798)


Network Configuration Bypass Vulnerability | 0-Day Vulnerability (CVE-2018-7798)

CRITIFENCE® Critical Infrastructure and SCADA/ICS Cyber Threats Research Group identified a vulnerabilities involving improper implementation of the network configuration module in UMAS protocol, a Kernel level protocol and an administrative control layer that relies on the Modbus protocol. The vulnerability allows malicious attacker to disconnect a target PLC from the OT network or to intercept a target PLC network traffic. The vulnerabilities are affected but not limited to all products which support Modicon Modbus/UMAS protocol. Our proof of concept was tested on the following PLC models:


  • Schneider Electric Modicon M221 Series


PLCHijacking | Cyber Attack Flow Diagram





Phase A

Malware which infected a PC runs the PLC Redirect Tool (PRT) and starts listening on port 502 (Modbus).

PLC Redirect Tool (PRT)
Python Tool (currently support Modbus, DNP3 and CIP protocols), which listens to incoming connections on specific port, intercepts requests and modifies value(s) for pre-configured register(s) and redirects all other requests to target PLC



Phase B

The malware sends the exploit code to the target PLC 10.10.10.100, modifies the target PLC IP Address to 10.10.10.200 and changes the IP Address of the PC to 10.10.10.100. This will cause the SCADA system to communicate with the PC instead of the standard communication to PLC. The PLC Redirect Tool (PRT) on the infected PC will intercepts Modbus traffic to modify its value(s) of pre-configured register(s), and redirects all other requests to a target PLC.

UMAS Network Configuration Tool (UNCT) - 0-Day Exploit
Python tool based on 0-day vulnerability in UMAS protocol (Modbus) which is able to modify network configuration of target PLC (IP Address, subnet mask, default gateway). The exploit code tested on M221 Series PLCs (Schneider Electric)



Example Payload
  • IP Address: 192.168.0.61
  • Default Gateway: 192.168.0.1
  • Subnet Mask: 255.255.255.0

network_configuration = "\xc0\xa8\x00\x3d\xc0\xa8\x00\x01\xff\xff\xff\x00"



Phase C

Finally, the malware sends a direct command to the target PLC, which will open the steam valve (actuator). This will cause an overheat of the fluid and will leads to explosion.

Modbus Client
Python Tool (currently supports Modbus protocol) which sends read and write requests to target PLC.






Conclusions

Due to the complexity of new cyber attack vectors in SCADA systems and OT network which relays on multiple threats, the detection of single vulnerability or vector is not enough, which may require a real time correlation and advanced analysis between several cyber threats and vectors.

Due to the nature of silent cyber attack vectors in SCADA systems, understanding of the full cyber attack kill chain is mandatory. Otherwise, It can be complicated to detect the real root of the problem and to isolate the infected device during the cyber attack.



PLCDisconnect | Proof of Concept (PoC)




For more information about CRITIFENCE® Cyber Security Solution for Critical Infrastructure,
SCADA and Industrial Control Systems and the SCADADome solution, download SCADADome Solution White Paper.