There’s a party in your SCADA and you’re invited!
Image of a Siemens Simatic S7-300 PLC
Looking for vulnerabilities
- Remote attack from Denial of Service (DoS): This attack will shut the PLC down there and then, by stopping the production line that is underway, they could cause an accident or even, a breakdown at other areas of the line.
- Remote memory visor: The attack uses the back door of the device to download the data from the PLC’s memory.
This is useful to know which configured actions the hacked machine has; we could modify these actions and load them onto the PLC again to de-program the line or to provoke greater damage (accident at work, mechanical breakage on the line, changes for the chemical software in the material, reduction of the production speed, etc.).
- Start-up and stoppage of the CPU: Here we don’t need to say much, it stops and starts the line with just one remote command.
Exploitation or vulnerabilities
Thanks to the results obtained at previous stages, the attacker now has everything they need to attack our device and interrupt the whole shift.
Shall we get to work?
Let’s put ourselves in the skin of the cyber attacker. We will make a simulation of the exploitation of some of the vulnerabilities found:
Note: The simulations are made with a Siemens S7-300 PLC, on a local network in a controlled environment.
As we can see in the photo, the PLC is read-only and is only editable by entering a password, but the password is not enabled in order to gain access to it.
Remote attack from Denial of Service (DoS)
Even though there is an exploit to make a denial of service, it cannot be used in this instance, as the exploit works via port 80 and this PLC’s port is closed.
Having said that, we can’t make use of the remote memory visor exploit either, as it also needs for port 80 tobe open.
So, using the payload of the published exploit, I had to make one up to shut down the PLC.
CPU start-up and stoppage
As we mentioned before, this attack allows an attacker to start and stop the PLC remotely.
Shutting down the PLC
Attack from the attacker’s machine
Evidence of a stopped PLC
Turning on the PLC
Attack from the attacker’s machine
Evidence of a started PLC
What would this problem mean for an industry?
- It causes accidents in the workplace.
- It loses money due to the lack of machine availability.
- It stops the rest of the areas in the plant.
- It stops the logistics due to there not being material to load.
- There are delays in orders due to a lack of stock.
- It has a bad reputation and image for the company towards the public.
- It creates extra costs for employee overtime to increase availability with more production lines underway.
It is the manufacturer’s fault?
No, it’s not always the manufacturer’s fault. In this example, we have used a Siemens device which is one of the biggest PLC brands on the market; it’s a brand that worries a lot about security, launching updates when there are vulnerabilities and due to the durability of its products.
That’s why we need to become more aware about protecting our SCADA systems, mainly by applying the corresponding updates, protecting systems, segmenting the network, making the appropriate audits and by having a SOC service in place that will monitor our network to detect and avoid intrustions and similar behaviour.
How has this happened?
In the same way that our computers and operating systems need updates to keep them stable and safe, our devices (PLCs, RTUs, HMIs…) also need to be taken care of.
We understand the difficulty of maintaining operating systems and software updated in the industry, and although there is technology, making the update on many occasions it isn’t in our hands due to an incompatibility in the operating systems and software, software with PLCs, etc.
Further to this, it would involve stopping the production lines which would lead to stoppage costs, a lack of stock and even a temporary loss in quality.
Alternatively, there is some technology that can perform a virtual update protecting the operating systems or common software components against vulnerabilities that could be exploitable, putting the plant at risk.
At Sothis we analyse and study the needs of each client to offer them a tailor-made service, which will enable them to make their SCADA system more modern and ensure it is safe, with the aim of avoiding cyber security issues that could lead to interruptions in production, the theft of industry information or even work security problems at the plant from threats to keep working safely.