Researchers discover ICS attack method that spreads through networks

Industrial control systems: the new playgrounds for hackers?
Industrial control systems: the new playgrounds for hackers?

A team of researchers published a report detailing their discovery of a new method of launching attacks that would threaten global critical infrastructure and utility providers through a worm that could spread directly through utility networks.

The attack, discovered by Ralf Spenneberg, Maik Brüggeman, and Hendrik Schwartke at OpenSource Security, a German security consulting firm, relies on a programmable logic controller (PLC) worm that the researchers said does not rely on infected devices such as a laptop or desktop to spread the worm. 

The research team presented their discovery at BlackHat Asia.

“Our PLC worm will scan and compromise Siemens Simatic S7-1200 PLCs Version 1 through 3 without any external support. No PCs or additional hardware is required,” the researchers wrote. “The worm is fully self-contained and ‘lives' only on the PLC.” The Siemens S7-1200v4 employs a new protocol and is not susceptible to the attack, the researchers said. 

Previous PLC attacks, such as the Stuxnet worm, required the exploit of PLC vulnerabilities on infected computers to spread. The method discovered by the researchers would make it more difficult to detect or contain industrial control systems (ICS) threats.

“Since this worm mimics the TIA-Portal and implements the proprietary Siemens protocol such solutions will miss it," said Barak Perelman, CEO of Indegy, an ICS cyber-security firm, in an email to SCMagazine.com. “Monitoring the propriety OT Vendors protocols like S7CommPlus is critical but difficult to do since these protocols are not well documented.”

The malware can be installed via an ethernet interface or the field bus interface, so that even PLCs not connected to an ethernet can be infected. Once infected, a device will infect all other devices connected on the same field bus.