Firmware Counterfeiting and Modification Attacks on Programmable Logic Controllers

Recent attacks on industrial control systems (ICSs), like the highly publicized Stuxnet malware, have perpetuated a race to the bottom where lower level attacks have a tactical advantage. Programmable logic controller (PLC) firmware, which provides a software-driven interface between system inputs and physically manifested outputs, is readily open to modification at the user level. Current efforts to protect against firmware attacks are hindered by a lack of prerequisite research regarding details of attack development and implementation. In order to obtain a more complete understanding of the threats posed by PLC firmware counterfeiting and the feasibility of such attacks, this research explores the vulnerability of common controllers to intentional firmware modifications. After presenting a general analysis process that takes advantage of various techniques and methodologies applied to similar scenarios, this work derives the firmware update validation method used for the Allen-Bradley ControlLogix PLC. A proof of concept demonstrates how to alter a legitimate firmware update and successfully upload it to a ControlLogix L61. Possible mitigation strategies discussed include digitally signed and encrypted firmware as well as preemptive and post-mortem analysis methods to provide protection. Results of this effort facilitate future research in PLC firmware security through direct example of firmware counterfeiting

Defending Against Firmware Cyber Attacks on Safety-Critical Systems

In the past, it was not possible to update the underlying software in many industrial control devices. Engineering teams had to ‘rip and replace’ obsolete components. However, the ability to make firmware updates has provided significant benefits to the companies who use Programmable Logic Controllers (PLCs), switches, gateways and bridges as well as an array of smart sensor/actuators. These updates include security patches when vulnerabilities are identified in existing devices; they can be distributed by physical media but are increasingly downloaded over Internet connections. These mechanisms pose a growing threat to the cyber security of safety-critical applications, which are illustrated by recent attacks on safety-related infrastructures across the Ukraine. Subsequent sections explain how malware can be distributed within firmware updates. Even when attackers cannot reverse engineer the code necessary to disguise their attack, they can undermine a device by forcing it into a constant upload cycle where the firmware installation never terminates. In this paper, we present means of mitigating the risks of firmware attack on safety-critical systems as part of wider initiatives to secure national critical infrastructures. Technical solutions, including firmware hashing, must be augmented by organizational measures to secure the supply chain within individual plants, across companies and throughout safety-related industries

Side-channel based intrusion detection for industrial control systems

Industrial Control Systems are under increased scrutiny. Their security is historically sub-par, and although measures are being taken by the manufacturers to remedy this, the large installed base of legacy systems cannot easily be updated with state-of-the-art security measures. We propose a system that uses electromagnetic side-channel measurements to detect behavioural changes of the software running on industrial control systems. To demonstrate the feasibility of this method, we show it is possible to profile and distinguish between even small changes in programs on Siemens S7-317 PLCs, using methods from cryptographic side-channel analysis.Comment: 12 pages, 7 figures. For associated code, see https://polvanaubel.com/research/em-ics/code

A Flashback on Control Logic Injection Attacks against Programmable Logic Controllers

Programmable logic controllers (PLCs) make up a substantial part of critical infrastructures (CIs) and industrial control systems (ICSs). They are programmed with a control logic that defines how to drive and operate critical processes such as nuclear power plants, petrochemical factories, water treatment systems, and other facilities. Unfortunately, these devices are not fully secure and are prone to malicious threats, especially those exploiting vulnerabilities in the control logic of PLCs. Such threats are known as control logic injection attacks. They mainly aim at sabotaging physical processes controlled by exposed PLCs, causing catastrophic damage to target systems as shown by Stuxnet. Looking back over the last decade, many research endeavors exploring and discussing these threats have been published. In this article, we present a flashback on the recent works related to control logic injection attacks against PLCs. To this end, we provide the security research community with a new systematization based on the attacker techniques under three main attack scenarios. For each study presented in this work, we overview the attack strategies, tools, security goals, infected devices, and underlying vulnerabilities. Based on our analysis, we highlight the current security challenges in protecting PLCs from such severe attacks and suggest security recommendations for future research directions

Forensic Attacks Analysis and the Cyber Security of Safety-Critical Industrial Control Systems

Industrial Control Systems (ICS) and SCADA (Supervisory Control And Data Acquisition) applications monitor and control a wide range of safety-related functions. These include energy generation where failures could have significant, irreversible consequences. They also include the control systems that are used in the manufacture of safety-related products. In this case bugs in an ICS/SCADA system could introduce flaws in the production of components that remain undetected before being incorporated into safety-related applications. Industrial Control Systems, typically, use devices and networks that are very different from conventional IP-based infrastructures. These differences prevent the re-use of existing cyber-security products in ICS/SCADA environments; the architectures, file formats and process structures are very different. This paper supports the forensic analysis of industrial control systems in safety-related applications. In particular, we describe how forensic attack analysis is used to identify weaknesses in devices so that we can both protect components but also determine the information that must be analyzed during the aftermath of a cyber-incident. Simulated attacks detect vulnerabilities; a risk-based approach can then be used to assess the likelihood and impact of any breach. These risk assessments are then used to justify both immediate and longer-term countermeasures

Enterprise platform systems management security threats and mitigation techniques

Developers and technologists of enterprise systems such as servers, storage and networking products must constantly anticipate new cybersecurity threats and evolving security requirements. These requirements are typically sourced from marketing, customer expectations, manufacturing and evolving government standards. Much ongoing major research focus has been on securing the main enterprise system purpose functionality, operating system, network and storage. There appears, however, to be far less research and a growing number of reports of vulnerabilities in the area of enterprise systems management hardware and software subsystems. Many recent examples are within types of subsystems such as baseboard management controllers (BMCs), which are intricate embedded subsystems, independent of the host server system functionality. A BMC is typically comprised of a specialized system-on-a-chip, RAM, non-volatile storage, and sensors, and runs an embedded LINUX Operating System. The BMC’s primary roles are always increasing in scope including managing system inventory, system operational health, thermal and power control, event logging, remote console access, provisioning, performance monitoring, software updates and failure prediction and remediation. To compromise or create a denial of service of such subsystems has an increasing impact on equipment manufacturers and large and small enterprises. This report’s primary objective is to research real-world and theoretical hardware and software cyber-attack vectors on enterprise product platforms, inclusive of BMCs, BIOS and other embedded systems within such products. For each presented attack vector, best practices and suggestions for effective avoidance and mitigation are explored. Domains of particular interest are physical access security, hardware manipulation and secure boot protections against software image manipulation, BIOS recovery and secure field debug techniques.Electrical and Computer Engineerin

Firmware Modification Analysis in Programmable Logic Controllers

Incorporating security in supervisory control and data acquisition (SCADA) systems and sensor networks has proven to be a pervasive problem due to the constraints and demands placed on these systems. Both attackers and security professionals seek to uncover the inherent roots of trust in a system to achieve opposing goals. With SCADA systems, a battle is being fought at the cyber -- physical level, specifically the programmable logic controller (PLC). The Stuxnet worm, which became increasingly apparent in the summer of 2010, has shown that modifications to a SCADA system can be discovered on infected engineering workstations on the network, to include the ladder logic found in the PLC. However, certain firmware modifications made to a PLC can go undetected due to the lack of effective techniques available for detecting them. Current software auditing tools give an analyst a singular view of assembly code, and binary difference programs can only show simple differences between assembly codes. Additionally, there appears to be no comprehensive software tool that aids an analyst with evaluating a PLC firmware file for modifications and displaying the resulting effects. Manual analysis is time consuming and error prone. Furthermore, there are not enough talented individuals available in the industrial control system (ICS) community with an in-depth knowledge of assembly language and the inner workings of PLC firmware. This research presents a novel analysis technique that compares a suspected-altered firmware to a known good firmware of a specific PLC and performs a static analysis of differences. This technique includes multiple tests to compare both firmware versions, detect differences in size, and code differences such as removing, adding, or modifying existing functions in the original firmware. A proof-of-concept experiment demonstrates the functionality of the analysis tool using different firmware versions from an Allen-Bradley ControlLogix L61 PLC

External Verification of SCADA System Embedded Controller Firmware

Critical infrastructures such as oil and gas pipelines, the electric power grid, and railways, rely on the proper operation of supervisory control and data acquisition (SCADA) systems. Current SCADA systems, however, do not have sufficient tailored electronic security solutions. Solutions available are developed primarily for information technology (IT) systems. Indeed, the toolkit for SCADA incident prevention and response is unavailing as the operating parameters associated with SCADA systems are different from IT systems. The unique environment necessitates tailored solutions. Consider the programmable logic controllers (PLCs) that directly connect to end physical systems for control and monitoring of operating parameters -- the compromise of a PLC could result in devastating physical consequences. Yet PLCs remain particularly vulnerable due to a lack of firmware auditing capabilities. This research presents a tool we developed specifically for the SCADA environment to verify PLC firmware. The tool does not require any modifications to the SCADA system and can be implemented on a variety of systems and platforms. The tool captures serial data during firmware uploads and then verifies them against a known good firmware baseline. Attempts to inject modified and/or malicious firmware are identified by the tool. Additionally, the tool can replay and analyze captured data by emulating a PLC during firmware upload. The emulation capability enables verification of the firmware upload from an interface computer without requiring modifications to or interactions with the operational SCADA system. The ability to isolate the tool from production systems and verify the validity of firmware makes the tool a viable application for SCADA incident response teams and security engineers