In the world of industrial automation, Programmable Logic Controllers (PLCs) are the unsung heroes. They control and automate various physical processes, making our lives easier and industries more efficient. However, as with any technology, PLCs are not immune to cybersecurity threats. This article delves into the intricacies of PLC cybersecurity, highlighting the vulnerabilities, potential threats, and the opportunities for enhancing their security.
Unveiling the Vulnerabilities
The Achilles Heel of PLCs
PLCs, essentially embedded computers, control machinery, physical processes, or production lines. Engineers monitor and program PLCs from computers connected to them using specialized engineering software. This software not only sends data to PLCs but also reads a lot of data back and parses it. This data parsing has been the source of many memory vulnerabilities. The proprietary software was not designed under the premise that the PLCs they connect to and their stored data can be fully trusted, so they lack many of the security checks for data parsing that a modern desktop application would have.
The Two-Way Street of Compromise
Most attack scenarios against industrial installations focus on compromising PLCs to tamper with the physical processes they control and automate. One way to get malicious code running on PLCs is to first compromise a workstation that engineers use to manage and deploy programs on them. However, this can be a two-way street: A hijacked PLC can also be used to compromise engineering workstations, opening the door to powerful lateral movement attacks.
The Threat of Lateral Movement
The most obvious goal of such an attack is lateral movement inside an organization’s OT (operational technology) network to achieve persistence. Attackers could compromise one engineering workstation that has not been isolated from the organization’s general IT network or could even use an insider to plant malware on it. Once deployed on a machine inside, the worm found its way to the PLCs controlling the physical processes using a chain of zero-day exploits and sophisticated techniques.
The Threat Landscape
The Internet-Facing PLCs
PLCs can also be compromised remotely because many of them are connected to the internet through various remote management interfaces. According to scans on Shodan, there are tens of thousands of SCADA and PLC devices connected to the internet. This suggests that attackers could use the internet-facing PLCs as a pivot point to infiltrate the entire OT network.
The Cross-Organizational Threat
The lateral movement through an Evil PLC attack can even happen across organizations because many companies rely on third-party system integrators or contractors to manage their PLCs, especially those deployed in remote locations. If attackers compromise such a PLC in a less secure location and know that it’s being serviced by a systems integrator or contractor, they could trigger a fault in the PLC to lure the traveling engineer to it and then compromise their computer.
The Honeypot Scenario
On the other hand, the same attack vector could be turned against would-be attackers in a honeypot-like scenario where researchers or organizations could intentionally leave a weaponized PLC exposed to the internet and see if attackers target it. Since attackers have to use the same engineering software to interact with the PLC, their own machines could be exposed.
Opportunities for Enhancing Security
Mitigating Evil PLC Attacks
All the vulnerabilities found have been reported to the impacted manufacturers, who released patches or mitigation instructions. However, deploying patches inside OT networks can be a slow process. The researchers recommend that organizations deploy client authentication mechanisms where available, so that the PLC verifies the identity of every engineering workstation connecting to it and can accept connections from only specific systems.
The Importance of Network Segmentation and Hygiene
Network segmentation and hygiene where different segments of the network that don’t need to talk to each other are isolated is also very important. Enabling traffic encryption and public-key authentication between PLCs and engineering workstations, where available, is also a good practice as well as general network traffic monitoring for suspicious connections.
The Future of PLC Cybersecurity
The future of PLC cybersecurity lies in the development of more robust security measures and the implementation of comprehensive cybersecurity strategies. This includes the development of secure communication protocols, the use of encryption and authentication mechanisms, and the implementation of network segmentation and hygiene practices.
PLC cybersecurity is a complex and evolving field. As technology advances, so do the threats that seek to exploit it. However, by understanding the vulnerabilities of PLCs and the potential threats they face, we can begin to develop strategies and solutions to enhance their security. The future of PLC cybersecurity lies not just in the hands of manufacturers and engineers, but also in the hands of every individual who uses and benefits from these systems.