Internet-facing PLCs as a network backdoor

Klick, Johannes; Lau, Stephan; Marzin, Daniel; Malchow, Jan-Ole; Röth, Volker

doi:10.1109/cns.2015.7346865

Cited by 52 publications

(40 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…More recently, at BlackHat USA 2015 Klick et al [20] demonstrated injection of malware into a SIMATIC S7-300 PLC without service disruption. In a follow on work, [32] demonstrated the feasibility of a PLC worm.…”

Section: A Backgroundmentioning

confidence: 99%

Temporal Phase Shifts in SCADA Networks

Markman

Wool

Cárdenas

2018

Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy

View full text Add to dashboard Cite

In Industrial Control Systems (ICS/SCADA), machine to machine data traffic is highly periodic. Previous work showed that in many cases, it is possible to create an automatabased model of the traffic between each individual Programmable Logic Controller (PLC) and the SCADA server, and to use the model to detect anomalies in the traffic. When testing the validity of previous models, we noticed that overall, the models have difficulty in dealing with communication patterns that change over time. In this paper we show that in many cases the traffic exhibits phases in time, where each phase has a unique pattern, and the transition between the different phases is rather sharp. We suggest a method to automatically detect traffic phase shifts, and a new anomaly detection model that incorporates multiple phases of the traffic. Furthermore we present a new sampling mechanism for training set assembly, which enables the model to learn all phases during the training stage with lower complexity. The model presented has similar accuracy and much less permissiveness compared to the previous general DFA model. Moreover, the model can provide the operator with information about the state of the controlled process at any given time, as seen in the traffic phases.

show abstract

Section: A Backgroundmentioning

confidence: 99%

Temporal Phase Shifts in SCADA Networks

Markman

Wool

Cárdenas

2018

Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy

View full text Add to dashboard Cite

show abstract

“…This is because the graph comparison algorithm performs literal comparison on the two graphs' respective fields; therefore, it is not possible for the algorithm to return false discrepancies. In [12], researchers developed an attack that takes an execution time around 1.35 ms on a PLC with scan cycle of 150 ms. They argued that their injection is undetectable since it has small execution time compared to the scan cycle.…”

Section: Comparison With the State-of-the-art Methodologiesmentioning

confidence: 99%

“…This processes are not affected by the inserted code execution time and size. Therefore, [12]'s attack will be detected as long as it can be observed on the graph. In [23], researchers utilized formal verification and model checking techniques in order to detect intrusions in PLC codes that will violate safety requirements.…”

Section: Comparison With the State-of-the-art Methodologiesmentioning

confidence: 99%

“…Once a single PLC is compromised, it is also possible to get access to the rest of the network. In [12], Berlin Secure Identity Research Group team from Freie Universität has demonstrated the possibility of compromising a PLC device as a gateway to reach the rest of the devices in the network. They implemented an automated code injection scheme where they first do SNMP (Simple Network Management Protocol) scanning to learn about the system (IP address and subnet learning to know the possible address and range of devices available in the network) and then they injected a light proxy socket code (undetectable due to its insignificant execution time) on compromised PLC to make it act as a gateway and allow access to other devices.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Intrusion Detection in PLC-Based Industrial Control Systems Using Formal Verification Approach in Conjunction with Graphs

Hailesellasie

Hasan

2017

J Hardw Syst Secur

View full text Add to dashboard Cite

Vulnerability in industrial control systems (ICS) has increased radically in the past few decades. This can be accounted to reasons including accessibility of ICS through Internet, development of sophisticated attack methods, and advancement in Internet of Things (IoT). The damage that can be caused by attackers on insecure ICS could cost hundreds of human lives and a huge state economy. Therefore, having such systems every where around us makes the concern for security nothing but a priority. Programmable logic controllers (PLCs) are the central devices of ICS and also a target to attacks which aim at gaining access and privilege to the control logic of the controller. A successful alteration or intrusion of the control logic by attackers can have a catastrophic effect on the plant. In this paper, control logic intrusion detection methodology for PLC-based control systems is proposed. The methodology implements the detection process by comparing a potentially intruded PLC program with a trusted version of the program. In order to achieve this goal, a scheme is proposed that operates in sequence of stages by first translating the PLC program to formal models (based on previous research work), then translating the formal models to graphs followed by performing a comparison between a trusted system model graph and a potentially intruded system graph. In the last stage of the methodology, graph discrepancy analysis is made in order to identify any intrusions. For demonstration purposes, a water level control system is presented as a case study, which is modeled using UPPAAL toolbox. We have verified our methodology by developing an in-house software. Our test results prove the concept that intrusions can be shown as discrepancies in the graphs generated from the UPPAAL-based formal modeling, which can be detected utilizing the proposed graph comparison approach. The premise of our study is that logic intrusions in PLC based ICS can be identified by the changes in the PLC code, and the methodology we proposed can successfully detect those changes by observing the code's graph model.

show abstract

“…An SNMP scanner and a SOCKS proxy (Klick et al, 2015) on a Siemens S7-300 PLC was proven possible by inserting code in the beginning of a scan cycle of the PLCs, just like Stuxnet. This vulnerability introduces a network backdoor on which attackers could send packets into the network through an outward facing PLC.…”

Section: Related Workmentioning

confidence: 99%

Investigating Current PLC Security Issues Regarding Siemens S7 Communications and TIA Portal

McLaughlin

2018

Electronic Workshops in Computing

View full text Add to dashboard Cite

Programmable Logic Controllers (PLCs) are the essential components in many Industrial Control Systems that control physical processes. However, in recent years the security flaws of these devices have come under scrutiny, particularly since the widely discussed Stuxnet attack. To help the industry state-of-the-art to move forward and to provide information required to improve the security for these controllers, this work investigates potential exploits of the Siemens S7-1211C controllers and the Totally Integrated Automation (TIA) engineering software. Using Windbg and Scapy, the anti-replay mechanism of the Siemens proprietary communication protocol, S7CommPlus, and the Profinet Discovery and Basic Configuration Protocol are found to be vulnerable. Attacks like session stealing, phantom PLC, cross connecting controllers and denial of S7 connections are demonstrated. The lack of authentication and consequent exploitation of the S7-ACK packet, an application layer packet for the S7CommPlus protocol, is highlighted as a key issue in this investigation.

show abstract

Internet-facing PLCs as a network backdoor

Cited by 52 publications

References 1 publication

Temporal Phase Shifts in SCADA Networks

Temporal Phase Shifts in SCADA Networks

Intrusion Detection in PLC-Based Industrial Control Systems Using Formal Verification Approach in Conjunction with Graphs

Investigating Current PLC Security Issues Regarding Siemens S7 Communications and TIA Portal

Contact Info

Product

Resources

About