Black Hat USA researchers have demonstrated the PLC Blaster worm that can infect programmable logic controllers (PLC’s) and spread to other connected systems. These boards automate various industrial equipment and can cause massive damages in both financial and production figures. The most attack of this type is devastating Stuxnet virus that sabotaged the uranium-enriching centrifuge of the Natanz nuclear power plant in Iran.
Scope of the Vulnerability
The PLC Blaster worm infects the logic controllers themselves and it is able to spread to other systems and networks without the use of personal computers or external means. This makes it much more difficult to detect than types of viruses as anti-virus tools are not that effectively against such threats. The famous StuxNet attack was carried out by using infected computer viruses which then made their way to the PLC boards. PLC Blaster is different and much more efficient in it’s infection as it does not need computer software as a carrier.
The infection can easily be spread across critical systems because the PLC models allow changes to be made to the user programs without strict authentication. If a criminal is able to insert the PLC Blaster code into the system then it would be very easy for the attack to completely overtake all major functions. Possibilities of the virus include the modification of critical applications and system processes and/or the complete shutdown and failure of the production units.
The Damaging Effects and Mechanism of Action
The security researchers used a Siemens S7-1200 PLC system for the demonstration. The unit was connected to a small industrial equipment setup. The experts showcased how a criminal may introduce malicious code that could trigger remote execution commands to the PLC. The code allows the worm to further spread and infect other systems on the same network.
The virus behavior was analyzed in detail. PLC Blaster first scans for the presence of specific target systems (Siemens S7-1200 units). It uses specific TCP ports and packets in order to detect the exact logic controller type. PLC Blaster then replicates itself on the target machine by mimicking a false legitimate processM. The worm can communicate using the TCP/IP protocol with a remote control server in order to allow a backdoor execution of various commands.
According to the researchers the hardest part of the attack was the documentation of the virus commands. PLC Blaster uses complex patterns in order to execute itself and infect other systems. The researchers had to use their own methods in order to gain information about the virus’s tactics.
The Siemens PLC that has been used for the demonstration has anti-tamper mechanisms that the worm has compromised. The vendor offers technologies that prevent unauthorized modifications of the system code. The units also have options for password protection and the AES cryptographic specification is used for source code protection.
The security researchers note that the Siemens PLC model is not the only logic controller type that is vulnerable to the worm. Tests on other equipment have not yet been carried but the results produce similar results.