logo
Dates

Author


Conferences

Tags

Sort by:  

Conference:  Black Hat USA 2022
Authors:
2022-08-10

The programmable logic controller (PLC) is a reliable hardware device implementing complex monitoring and control logic for industrial control systems. The pursuit of new advanced features has driven the ICS vendors to come up with new-generation PLCs, that contain a whole standard OS environment (e.g., Windows or Linux). They are commonly known as PC-based PLCs or SoftPLCs. Siemens' SoftPLC is called ET 200SP and unlike common PLCs (that typically use customized processors), it contains a standard Intel Atom CPU. The PLC runs a hypervisor that controls two VMs: Windows and Adonis Linux, which Siemens calls SWCPU. The Adonis kernel runs the programmable control logic and functions as a software PLC. The SWCPU is encrypted (in the PLC storage) and it is decrypted by the hypervisor during the boot process of the PLC.Since the boot process of the ET 200SP is not secure, an attacker can boot his choice of an OS and read the full filesystem, including the binary of the hypervisor, the encrypted SWCPU, and the GRUB configuration files. Surprisingly, this filesystem is also accessible from the Windows VM. We located the code in the hypervisor that decrypts the SWCPU and ran it in a standard Linux environment using Intel Pin. We managed to extract the plaintext SWCPU, which was kept secret for years, ever since Siemens, like other vendors, started encrypting their firmware before the release. Our success indicates that the decryption key is hardcode.Our initial research shows evidence that the SWCPU contains codebase used by other Siemens S7 PLCs (e.g., Siemens' Adonis kernel). Thus, it can be used for vulnerability research, throughout the full Siemens S7 product-line. Our conclusion is that Siemens invested efforts in protecting the secrecy of the S7 PLC codebase but failed to adapt their security mechanisms to the new standard environment.
Tags:
Conference:  BlackHat USA 2021
Authors:
2021-11-11

tldr - powered by Generative AI

The presentation discusses the vulnerability of modern PLCs and the need for redesigning their software and hardware to match the current threat landscape.
  • The approach to enumerate and manipulate function blocks on modern PLCs is applicable to any industrial environment and uses stealth techniques that are undetectable.
  • The impact of the vulnerability is significant, but the techniques used are simple and outdated.
  • There are currently no device-level mitigations for this type of vulnerability, and the only existing line of work is top 20 secure PLC coding practices.
  • Mitigation opportunities exist on current PLCs, but they only offer partial solutions in certain circumstances.
  • The presentation emphasizes the need for vendor-centric redesign of PLC software and hardware to address the current threat landscape.
  • Asset owners are often blamed for incidents, but it is difficult to secure something when the attack surface is not clearly understood.
  • The presentation concludes that vendors need to take responsibility for vulnerabilities in their products.
Tags:
Conference:  Defcon 29
Authors:
2021-08-01

Diversified Industrial Control System (ICS) providers create a variety of ecosystems, which have come to operate silently in the background of our lives. Among these organizations, Mitsubishi Electric ranks among the most prolific. Because the operation of this ecosystem is so widely used in key manufacturing, natural gas supply, oil, water, aviation, railways, chemicals, food and beverages, and construction, it is closely-related to people's lives. For this reason, the security of this ecosystem is extraordinarily important. This research will enter the Mitsubishi ecosystem’s communication protocol, using it as a lens with which to deeply explore the differences between itself and other ecosystems. We will show how we successfully uncovered flaws in its identity authentication function, including how to take it over and show that such an attack can cause physical damage in different critical sectors. We’ll explain how we accomplished this by applying reverse engineering and communication analysis. This flaw allows attackers to take over any asset within the entire series of Mitsubishi PLCs, allowing command of the ecosystem and full control of the relevant sensors. A further complication is that making a fix to the various communication protocols in the ICS/SCADA is extremely difficult. We will also share the various problems we encountered while researching these findings and provide the most workable detection and mitigation strategies for those protocols. REFERENCES [1] https://ladderlogicworld.com/plc-manufacturers/ [2] https://www.mitsubishielectric.com/fa/products/cnt/plc/pmerit/case.html [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5594 [4] https://www.mitsubishielectric.com/fa/products/cnt/plc/pmerit/index.html
Tags:
Conference:  BlackHat EU 2019
Authors:
2019-12-04

tldr - powered by Generative AI

The presentation discusses the reverse engineering of Siemens PLC firmware and the discovery of legacy functionality that poses security risks. It also highlights the importance of removing such features and opening up systems to researchers.
  • Siemens PLC firmware was reverse engineered to discover legacy functionality that poses security risks
  • The discovered functionality includes a lot of diagnostics features that could be used by malicious actors
  • Removing such features would make it harder for intruders to access the system
  • Opening up systems to researchers would allow for introspection and better understanding of the system's vulnerabilities
  • Siemens is aware of the discovered vulnerabilities and is working on a fix
Tags:
Conference:  BlackHat USA 2019
Authors:
2019-08-08

tldr - powered by Generative AI

The presentation discusses a rogue engineering station attack on S7-1500 PLCs, which allows an attacker to inject malicious code into the PLCs and gain control over them.
  • The attack system consists of a legitimate TIA version 15 and an attack proxy with two phases: setup and attack.
  • During the setup phase, the attacker programs a blue malicious program and records the flow of messages into a pickup file.
  • During the attack phase, the attacker brings in a rogue engineering station and programs a yellow innocent program, which is intercepted by the malicious proxy.
  • The attacker substitutes the yellow object code with the blue malicious code and applies integrity protection to send it to the PLC.
  • The PLC accepts the malicious code since MOC protection is only applied to the object code and not the source code.
  • The rogue engineering station attack is a more practical method than using a large payload to carry out the attack.
Tags:
Conference:  Defcon 26
Authors:
2018-08-01

tldr - powered by Generative AI

The presentation discusses the vulnerabilities of Programmable Logic Controllers (PLCs) used in critical infrastructures and demonstrates attacks against different brands of PLCs, including two vulnerabilities discovered by the presenter.
  • PLCs are used in various industrial plants, including critical infrastructures, but little care was taken to raise defenses against potential cyber threats
  • The presenter discusses the architecture of a PLC and how it can be hacked
  • Live demonstration attacks against 3 different brands of PLCs are shown, including two vulnerabilities discovered by the presenter affecting the Rockwell MicroLogix 1400 series and the Schneider Modicon M221 controllers
  • The presenter warns against sending deadly packets to PLCs, which can cause them to crash and become unrecoverable
  • The presenter advises against sending corrupted applications to PLCs, as it can render them useless
Tags: