Daisy-chained research spells malware worm hell for power plants and other utilities

World’s first PLC worm spreads like cancer

BlackHat Asia A world-first proof-of-concept worm - if unleashed - could spell disaster for the world’s critical infrastructure, including power utilities by making attacks exponentially more difficult to detect and stop.

It is a stand-alone attack but The Register has confirmed a realistic stealthy end-to-end attack scenario can be produced by combining two independent research efforts.

The programmable logic controller (PLC) worm is the brain child of German hackers Ralf Spenneberg and Maik Brüggeman of Steinfurt-based consultancy OpenSource Security Ralf Spenneberg, and, unlike any past attacks, is able to spread from devices without the need of an infected laptop or desktop.

All other PLC malware such as Stuxnet relied on having an infected computer to spread to other controllers, meaning an infection could be stopped from proliferating by removing those machines.

Spenneberg and Brüggeman claim the attack spreads like cancer between default Siemens S7 1200 PLCs, and could be reworked to target other systems.

They say it can also be used in proxy-chains to gain a foothold into utility networks, depending on the PLC used.

“Our worm is the first that can propagate through Siemens PLCs without support from PCs or any other system,” Spenneberg told The Register

“Imagine a PLC is intercepted on the way to your plant, or by the vendor; there is little you could do to detect this and it would quickly spread throughout your plant.

“We can create a denial of service, killing infected PLCs … imagine this happening to a major plant.”

These so-called interdiction attacks are known compromise methods of nation-states.

The pair set up a test power plant to demonstrate how the worm could successfully rip through a utility without need of an infected PC.

The LED lights blinked and died as the worm hopped between PLCs, staying within the so-called maximum cycle time of 150 milliseconds.

The PLC demo, pre-pwnage (gif).

Their work has since been detailed in a paper [PDF].

Defenders must hope to identify the attack at the initial stages, but separate research also demonstrated at the BlackHat Asia conference promises to cloak Spenneberg and Brüggeman’s malware.

IOActive researcher Alexander Bolshev told The Register his work allows frequency and amplitude modifications in waves generated by control PLCs to allow an attack to be masked.

The research, which he conducted alongside Honeywell security boffin Marina Krotofil, means an attacker could, for example, break into a remote station along a major gas line, determine normal frequency patterns, and repeat those waves with high-frequency components added to cloak a destructive intrusion.

Bolshev demonstrated the attacks using a Siemens S7 controller and a motor, but stresses the flaw is not part of the S7 and is instead thanks to poor architecture design.

“We introduce a signal that disrupts the motor while keeping the controller completely blind,” Bolshev told The Register at the Singapore conference.

“After such a time the motor will be destroyed.

“It is all about hiding a potential attack.”

Utilities could detect his attack by replacing the hardware – in his example the S7 - with gear that can detect much higher frequencies, and install low pass filters around actuators and PLCs.

Recent network-borne attacks against utilities including that of Ukraine’s Prykarpattya Oblenergo and Kyivoblenergo utilities revealed this year have proven such attacks are within the practical imagination of determined attackers who are willing to conduct attacks in person.

Protecting against such attacks, however, is costly, and requires hardware to be upgraded ahead of refresh cycles, with all the ensuing massive cost of legacy system integration that implies. ®


Biting the hand that feeds IT © 1998–2017