Greetings from the '90s: Exploiting the Design of Industrial Controllers in Modern Settings

Presented at Black Hat Europe 2021, Nov. 11, 2021, 10:20 a.m. (40 minutes)

Recent years have witnessed a growing volume of research on the security of embedded systems used in industrial process control applications, including Programmable Logic Controllers (PLC) and Remote Terminal Units (RTU). This increased interest reflects both the large number of “low-hanging fruit” vulnerabilities, making industrial controllers attractive research targets, and an increased interest from adversaries to subverting industrial processes. To date, research efforts have predominantly focused on firmware vulnerabilities, or bypassing traditional security controls implemented as part of the PLCs software. In this talk we will introduce a novel exploitation vector, one previously unconsidered in existing works.

More specifically, we will show how PLC programming practices, user APIs, and memory allocation for function blocks from the Library Functions open the door to automated enumeration of PLC control logic, identification of key infrastructure configuration parameters and process control variables, and their consequent targeted manipulation to achieve a desired attack impact. Additionally, allocated but unused memory can be applied to the establishment of covert C2 channels, from which attackers are afforded with the ability to run standard security tools, exfiltrate data and execute high-precision cyber-physical attacks on previously inaccessible network segments. To keep the story realistic and interesting, we formulate our threat scenario around a realistic industrial network architecture with the advisable security measures, including the integration of network monitoring and segregation from the Internet via firewalls.

The set of proposed exploitation techniques is stealthy and allows for the development of fully automated physical damage payloads of high precision, significantly raising the level of attacker capabilities. The main purpose of this talk is to initiate a discussion around the need for guidance and best practices to support DevSecOps for industrial equipment, which take into account the engineering designs of equipment, and specifics of its usage in cyber-physical applications. Current PLC software designs and programming practices are still largely under-researched. With this talk we provide an example of their unexplored attack surface and a novel vulnerability class, and invite the security community to further research into the topic.


Presenters:

  • Ric Derbyshire - PhD Student & Cyber Security Researcher, Lancaster University
    Ric Derbyshire is a PhD student and cyber security researcher at Lancaster University. His research involves both offensive and defensive elements of cyber security, more specifically, adversary-centric risk assessment. He has worked in the cyber security industry since 2012, and as such, endeavours to keep industrial applicability and usability at the forefront of his academic work.
  • Marina Krotofil - Security Researcher,  
    Marina Krotofil is a cyber security professional with over a decade of hands-on experiences in securing Industrial Control Systems (ICS) who held leading engineering roles with the industry. Throughout her career she discovered numerous novel attack vectors with associated exploitation techniques as well as designed novel defence methods for critical infrastructures. Marina is an experienced threat analyst, incident responder and forensic investigator of ICS attacks. She frequently collaborates with international organizations on the topics of critical infrastructure security and is a regular speaker at the leading conference stages worldwide.

Links:

Similar Presentations: