Presented at
Black Hat Asia 2016,
Unknown date/time
(Unknown duration)
We will present and demonstrate the first PLC only worm. Our PLC worm will scan and compromise Siemens Simatic S7-1200 PLCs Version 1 through 3 without any external support. No PCs or additional hardware is required. The worm is fully self-contained and "lives" only on the PLC. Siemens S7-1200 PLCs offer different protection features. The access protection prevents the worm from compromising the the PLC. To our knowledge, this is the first time such a worm is publicly shown.The Siemens Simatic PLCs are managed using a proprietary Siemens protocol. Using this protocol, the PLC may be stopped, started and diagnostic information may be read. Futhermore, this protocol is used to upload and download user programs to the PLC. The older S7-300 and S7-400 PLCs are supported by several OpenSource solutions, like snap7, supporting the protocols used on these older PLCs. These solutions have already been used to misuse PLCs for attacking purposes (Klick and Lau, Black Hat USA 2015). With the introduction of the S7-1200 the protocol has been replaced by a new version not yet publicly analyzed. We inspected the protocol based on the S7-1200v3 and implemented the protocol by ourselves in our ICShell. We are now able to install and extract any user program on these PLCs. These newest extensions to the ICShell have not been published yet.Based on this work, we developed a PLC program which scans a local network for other S7-1200 PLCs. Once these are found the program compromises these PLCs by uploading itself to these devices. The already installed user software is not removed and still running on the PLC. Our malware attaches itself to the original software and runs in parallel to the original user program. The operator does not notice any changed behavior. We developed the first PLC only worm.The worm is only written using the programming language SCL and does not need any additional support. For the remote administration of the compromised PLCs, we implemented a Command&Control (C&C) server. Infected PLCs automatically contact the C&C server and may be remotely controlled using this connection. Using this connection, we can manipulate any physical input or output of the PLC. An additional proxy function enables us to access any additional system using a tunnel. Lastly, the Stop mode may be initiated through the C&C connection requiring a cold restart of the PLC by disconnecting the power supply to recover. We will demonstrate the attack during our talk.Our worm prevents its detection and analysis. If the operator connects to the PLC using the programming software TIA Portal 11, the operator may notice unnamed additional function blocks. But, when accessing these blocks the TIA Portal crashes preventing the forensic analysis.The infection of the PLC takes roughly 10 seconds. While the infection is in progress the PLC is in Stop mode. As soon as the infection has succeeded, the PLC undergoes a warm restart and the worm is running additionally to to the original user program.Our worm malware requires 38,5kb RAM and 216,6kb persistent memory. If the PLC does not offer the memory required by the original user software including our worm, it may overwrite the original user program. Based on the actually used model of the S7-1200 different setups may be required.Model:Available RAM (used by worm):Available persistent memory (used by worm) S7-1211:50kb (77%):1Mb (21%) S7-1212:75kb (51%):1MB (5 %) S7-1214:100kb (38%):4MB (5 %) S7-1215:125kb (30%):4MB (5 %) S7-1217:150kb (25%):4MB (5 %)A critical requirement for the execution of a PLC program is the cycle time for one full cycle of the user program. Our malware requires 7ms per cycle. This is just 4.7% of the maximum cycle time configured by default on the PLC models we inspected. The original user program still has plenty of time to run.By default, all Siemens Simatic S7-1200 v1-3 are susceptible to this attack. The PLC user programs may be uploaded and downloaded without any restriction. The Siemens Simatic PLCs support several protection mechanisms. We will explain these mechanisms and their result on the attack.Siemens PLCs support several protection features including the access protection. The access protection does prevent the attack we will demonstrate. The access protection is disabled by default.With the introduction of the S7-1200v4 Siemens introduced again a new protocol. These PLCs are not susceptible to the attack.While we present an attack via the ethernet interface the installation of the user program can also happen using the field bus interface. Using this interface even PLCs not connected to the ethernet network may be compromised. Once the first PLC is infected using the Ethernet, all other PLCs connected via the same field bus would be compromised as well.This talk emphasizes the significance of the built in protection features in modern PLCs and their correct deployment by the user.
Presenters:
-
Hendrik Schwartke
- OpenSource Security Ralf Spenneberg
Hendrik Schwartke has a masters degree in Computer Science from the University of Applied Sciences Muenster. He works as a software developer at OpenSource Security Ralf Spenneberg. His main interrests are software security and hardware hacking.
-
Maik Brueggemann
- OpenSource Security Ralf Spenneberg
Maik Brüggemann has a masters degree in Computer Science from the University of Applied Sciences Muenster. He works as a software developer and security engineer at OpenSource Security Ralf Spenneberg. His main interrests are industrial control systems.
-
Ralf Spenneberg
- OpenSource Security Ralf Spenneberg
Ralf Spenneberg has used Linux since 1992 and worked as a system administrator since 1994. During this time, he worked on numerous Windows, Linux, and UNIX systems. Starting in 1998, he has been working as a freelancer in the Linux/UNIX field. Most of the time he provided Linux/UNIX training. His specialty is network administration and security (firewalling, VPNs, intrusion detection, forensics). He has published several German books on VPN, IDS, Firewalls, and Mandatory Access Control. His two current companies, OpenSource Training and OpenSource Security, offer training and support in the Network Security field. OpenSource Training was the first Sourcefire Authorized Training Center worldwide. OpenSource Security is providing pentesting services for governmental and commercial clients.
Links:
Similar Presentations: