Detecting PLC malware in industrial control systems

How can attackers load programmable logic controllers (PLC) with destructive malware, and how can the operators of industrial control systems (ICS) detect it?

According to a group of researchers from the International Institute of Information Technology, Hyderabad, and Singapore University of Technology and Design, the trick is not to attempt to change the PLC’s firmware, but to deploy ladder logic bombs (i.e. malware written in ladder logic).

PLC malware in industrial control systems

The PLC malware

“ICS and Supervisory Control and Data Acquisition (SCADA) systems rely on local programmable logic controllers (PLCs) to interface with sensors and actuators. While PLC devices are available from a range of manufacturers, they are all commonly programmed with the same set of programming languages based on IEC 61131-3. In particular, the IEC 61131-3 standard contains ladder logic, functional block diagram, and sequential text as different languages that are used together to define logic to run on the PLCs. The logic is then interpreted by the firmware running on the PLCs,” they explained for the uninitiated.

They tried to replace a PLC’s firmware with a malicious version and still keep it working, but discovered that it will accept only legitimate, signed firmware, and faking that signature (i.e. spoofing the certificate used to signed the firmware) will get you nowhere.

On the other hand, there is a distinct lack of security checks/authentication before new logic is downloaded onto PLCs, and the actual logic that is executed on the PLCs is not protected by signatures. This vulnerability can be exploited by attackers who gain local physical access to the PLCs, or remote access over the network.

“PLC programs are typically written in a special application on a local host (per- sonal computer), and then downloaded by either a direct-connection cable or over a network to the PLC. The program is stored in the PLC in a non-volatile flash memory,” they pointed out.

“While details differ for platforms from alternative vendors, it might be required to enable remote change of control software on the PLC through a physical switch (i.e., program mode on ControlLogix devices). We observe that due to convenience, in practical systems PLCs are often kept in that setting to allow easy remote access.”

These ladder logic bombs (LLBs) can be used to change the PLC’s behavior immediately, or can be made to wait for specific trigger signals to begin their work.

Detection and prevention

Detecting LLBs is not a trivial task for human operators manually validating the code of the program running in PLCs.

The group asked six teams from academia and industry to connect to a virtual operator machine and physical PLCs in the SWaT industrial control system testbed located at the Singapore University of Technology and Design, and to detect three different ladder logic bombs the researchers deployed.

Only one of the teams found all three, and another found just one of the bombs. One of the teams succeeded through an unrelated side-channel, but the rest came up empty-handed.

“In order to detect LLBs, an operator must have sound knowledge of [specific software used to program the controllers] and programming languages like ladderlogic, Structure text, and functional block diagram along with its syntactical and semantic meaning. In practice, that can be challenging if an operator has to inspect code with ill-specified functionality or written by a subcontractor,” they noted.

Countermeasures for LLB attacks that don’t require changes to existing PLCs may include setting intrusion detection systems to spot traffic related to logic updates on PLCs, and flag it as suspicious if it doesn’t come from the IP address of the authorized person (the PLC programmer). Or, better yet, a centralized logic store (CLS) of the latest version of logic running on all PLCs of the ICS, and a tool to periodically download currently running logic from the PLCs, and to validate that against the “golden” copy from the CLS.

Lior Frenkel, CEO and co-founder of Waterfall Security Solutions, says a unidirectional security gateway protecting an industrial control network can prevent remote attackers from mounting this type of attack.

“Perhaps [the attackers] can get in by other ways, ways that require physical access, but they will prefer instead just to move on and find another target whose network is accessible, and remotely attack it,” he noted.

Don't miss