Web-based PLC malware: A new potential threat to critical infrastructure

A group of researchers from Georgia Tech’s College of Engineering have developed web-based programmable logic controller (PLC) malware able to target most PLCs produced by major manufacturers.

“Our Web-Based (WB) PLC malware resides in PLC memory, but ultimately gets executed client-side by various browser-equipped devices throughout the ICS environment. From there, the malware uses ambient browser-based credentials to interact with the PLC’s legitimate web APIs to attack the underlying real-world machinery,” the researchers explained.

What are PLCs?

Programmable logic controllers (PLCs) are compoments of industrial control systems (ICS) that are used to control a physical system’s functions. They receive data from sensors, process it and – based on the data and their pre-programmed logic – deliver outputs to the actuators that control real-world processes.

PLCs have a firmware layer that, in recent years, has also begun to include an embedded webserver that serves to make configuration and control easier (via customizable web applications and web-based APIs). Unfortunately, it may also allow remote attackers in.

“While previous attacks on PLCs infect either the control logic or firmware portions of PLC computation, our proposed malware exclusively infects the web application hosted by the emerging embedded webservers within the PLCs,” the researchers noted.

The advantages of web-based PLC malware

PLCs having embedded webservers means that attackers don’t need network or physical access to deliver the malware – they can simply lure an ICS operator to view an attacker-controlled website that exploits a cross-origin resource sharing (CORS) misconfiguration vulnerability to transfer a web page with malicious JavaScript code to the webserver.

The lifecycle of WB PLC malware (Source: Georgia Institute of Technology)

“Additionally, the two access levels used by traditional PLC malware (network & physical) are also viable access levels for WB PLC malware,” the researchers noted.

“For example, a malicious [user-defined web page] can be downloaded via an ICS protocol or a malicious web-based GUI may be installed via an SD Card.”

Another advantage of WB PLC malware is that, since it runs only in the web browsers, it can work on many different PLCs without having to be specifically customized.

Testing possible attacks

To prove the feasibility of a malware attack via this vector, they have created their own WB malware (“IronSpider”) and tested how it can be used to compromise a popular PLC model in a real-world ICS testbed.

They found that they could exploit either legitimate channels to push front-end code to the PLC or exploit vulnerabilities in PLC admin portal web applications.

The malware would be downloaded without any user notification or firewall intervention, they said, and noted that it can even be “resurrected” over and over again to assure long-term persistence and continuous execution in the environment, or cleanse the PLC of all traces of the infection (and thus stymie forensic investigations).

The ultimate damage attackers can do depends on what physical processes the target PLC controls.