Search This Blog

Showing posts with label Stuxnet. Show all posts

PLCs Exploited by "Evil PLC Attack" to Breach Networks

PLCs can be weaponized in a novel attack to take advantage of engineering workstations and then infiltrate OT and enterprise networks.

The "Evil PLC Attack" was developed by the Team82 group of Claroty, and it targets engineers who work on industrial networks, configure, and troubleshoot PLCs. Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO, and Emerson engineering workstation software are all impacted by the problem.

Security experts claim that the research produced functional proof-of-concept vulnerabilities for seven of the industry's top automation businesses, including Rockwell Automation, Schneider Electric, GE, B&R, XINJE, OVARRO, and Emerson.

Industrial gadgets that regulate production processes in essential infrastructure areas must include programmable logic controllers. PLCs are set up to start and halt processes, as well as to produce alarms, in addition to orchestrating the automation activities.

It is therefore not unexpected that PLCs have been the target of sophisticated attacks for more than a decade, starting with Stuxnet and continuing with PIPEDREAM aka INCONTROLLER, with the intention of causing physical outages.

The attack method  
  • Initially skeptical engineers connect to the compromised PLC using the engineering workstation software as a diagnostic tool after an opportunistic adversary purposefully causes a problem on an internet-exposed PLC.
  • When an engineer performs an upload operation to acquire a functional copy of the existing PLC logic, the con man takes advantage of the previously unknown platform weaknesses to execute malicious code on the workstation.
  • According to the researchers, "the PLC saves other forms of data that are used by the engineering software and not the PLC itself," which makes it possible for the unneeded data to be altered in order to control the engineering software.
  • Study shows "that the fact that the PLC retains extra forms of data that are used by the engineering software and not the PLC itself"  creates a scenario in which the unused data saved on the PLC can be altered to manipulate the engineering software. 
In other words, the approach allows code execution upon an engineering connection/upload operation by weaponizing the PLC with data that isn't necessarily a part of an offline project file.

According to the coordinated disclosure policy of the business, Team82 certified that all of the findings were communicated to the seven affected vendors.

According to the business, the majority of manufacturers released mitigation plans, patches, or solutions for the Evil PLC Attack.

Analysis of Industrial Control System Security

We are presently experiencing IT/OT convergence, which will reveal new hurdles for both IT and OT divisions to overcome. Site engineers have traditionally overseen operational technology with an emphasis on reliability and stability. However, as OT systems become more integrated, these two worlds must start functioning as a single entity. The panorama of industrial cyber risks changed in 2010. Since Stuxnet targeted crucial supervisory control and data acquisition (SCADA) systems, which immediately gained attention on a global scale. 

Humans can operate and manage an industrial facility utilizing computer systems employing OT, which consists of programmable logic controllers (PLCs), intelligent electronic devices (IEDs), human-machine interfaces (HMIs), and remote terminal units (RTUs). These systems are linked to sensors and devices on the site, which could be a factory or a power plant. 

Industrial control systems are a common name for this set of process control equipment (ICSs). These technologies allow hackers to act based on what they see on the screen, in addition to providing information to them. Operational technologies have always been created with safety and availability in mind, but with relatively minimal care for cyber security. This is a significant contrast between OT and IT. 

Stuxnet: What is it? 

As per reports, Stuxnet influenced countless rotators at Iran's Natanz uranium advancement office to wear out. Afterward, different gatherings modified the infection to explicitly target foundations like gas lines, power stations, and water treatment offices. It is assessed that the US and Israel cooperated to make the malware. 

Industrial facilities have possibly "air-gapped," demonstrating that there is no connection between the organization inside the office and the organizations outside. This postures one of the obstructions in arriving at these regulators. A portion of the world's richer countries has figured out how to get around this countermeasure, regardless. 

 Iran benefited from the assault 

"The attack by Stuxnet opened the world's eyes to the idea that you can now design cyber weapons that can harm real-life target" said Mohammad Al Kayed, director of cyber defense at Black Mountain Cybersecurity. You could gain access to a nation's whole infrastructure and, for instance, turn off the electricity. In just this manner, Russia has twice attacked Ukraine.

Iran gained from the hack that the appropriate tool stash can likely be utilized to target ICS. It likewise noticed the power of those assaults. Somewhere in the range of 2012 and 2018, specialists saw an ascent in cyberattacks against Saudi Arabian modern offices as well as those of different nations nearby. 

"A virus program called Shamoon was one example. Three distinct waves of the virus have struck Saudi Arabian industrial facilities. The original version affected a few other businesses and Saudi Aramco. In a few years, two new variants were released. All of them exploited Saudi Arabian petrochemical firms and the oil and gas sector" stated Al Kayed. Saudi Arabia was a target since it has numerous manufacturing plants and sizable oil production operations. It is Iran's rival in the area and a political superpower. 

Connecting OT and IT invites vulnerability

When ICS is connected to an IT network, hacks on those systems are even simpler. By exploiting the IT network first, malicious actors can remotely attack OT assets. All they need to do is send an expert or employee who isn't paying attention to a phishing email. When industrial control systems are connected to an IT network, attacks on those systems are even easier. 

Al Kayed proceeds, "Anybody can bounce into designing workstations and other PC frameworks inside a modern site. Now that they understand how one can remotely put the malware on such modern control frameworks. Although they don't at first need to think twice about designing workstations at the office, there is a method for doing so because it is connected to the corporate organization, which is in this manner connected to the web. You can move between gadgets until you show up at the ideal design workstation in the petrochemical complicated or the power plant. "

Saudi government takes measures 

The targeted nation can acquire the necessary skills, possibly repair the weapon used against it, and then go after another target. Saudi Arabia, which has numerous manufacturing plants, is the nation in the area with the main threat on its front. Therefore it makes sense that the Iranians exploited what they had learned to strike its strongest rival in the region. 

However, the Saudi government is acting to stop similar attacks from occurring again. The National Cyber Security Authority (NCA) created a collection of legislation known as the Essential Cybersecurity Controls (ECC), which are required cyber security controls, to stop the attack type mentioned above. One of the only nations in the area having a security program that goes beyond IT systems is Saudi Arabia right now. It has also taken into account the dangers to OT infrastructure. 

Guidelines for ICS security 

The protection of industrial control systems is currently a global priority. A thorough set of recommendations for defending industrial technology against cyber security risks was released in 2015 by the US National Institute for Standards and Technology (NIST). Four important lessons can be learned from the attack on Iran and the ensuing attacks on Saudi Arabia:

  • The first step is to separate OT from IT networks. 
  • Utilize an industrial intrusion detection and prevention system and anti-malware software. 
  • The main targets of attacks on OT networks are HMIs and PLCs. Use specialized technologies, such as data diodes, which accomplish what a network firewall accomplishes logically but in a physical way.
  • Monitoring is a crucial step: "Security monitoring" is a frequent IT practice. But not many OT facilities do that currently.

Notorious Stuxnet malware infected Russian Nuclear Plant, claims Eugene Kaspersky


The notorious Stuxnet malware which is widely believed to have been developed by US and Israel to target Iran Nuclear plants, managed to "badly" infect the internal network of Russian Nuclear power plant.

Eugene Kaspersky, founder of the Russian antivirus company Kaspersky, said a friend of him working at unnamed nuclear plant told him that their nuclear plant network was disconnected from the internet which is badly infected by Stuxnet.

"So unfortunately these people who were responsible for offensive technologies, they recognise cyber weapons as an opportunity." SC Magazine quoted Kaspersky as saying.

"All the data is stolen," Kaspersky said. "At least twice."

This is first time the Stuxnet infects the major nuclear plant outside of its intended target in Iran.

Stuxnet worm Created by NSA and Israel, Says Edward Snowden

While it's been widely speculated that the notorious computer worm Stuxnet was the result of partnership between US and Israel, the famous NSA Whistleblower "Edward Snowden" has confirmed it.

Stuxnet was a highly-complex malware discovered in 2010, used as cyber weapon against the Iran's nuclear program.

Snowden answered a few interesting questions in an Interview had with Germany's Der Spiegel Magazine.

When Interviewer asked about the NSA involvement in Stuxnet, Snowden confirmed that saying "NSA and Israel co-wrote it".

When asked about German authorities involvement in NSA surveillance system, Snowden confirmed that saying "Yes, of course. We're 1 in bed together with the Germans the same as with most other Western countries."