Creating a Weapon of Mass Disruption: Attacking Programmable Logic Controllers

Abstract

A programmable logic controller (PLC) is a small industrial computer made to withstand the harsh environment it operates in. PLCs were designed for a closed, trusted network with little emphasis on security. Since their introduction, the automation world has changed, and the line between traditional IT and automation has slowly faded away. By integrating well known, low cost, technology such as commodity operating systems and TCP/IP into the automation realm, new threats are emerging. Security by obscurity was long deemed sufficient for industrial networks. If this was ever true, it is not anymore,especially when considering where PLCs are deployed; PLCs are part of virtually every industrial control system in the world and is at the heart of systems such as power production (including nuclear), pipelines, oil and gas refineries, water and waste, and weapon systems. A compromised system could mean financial loss, damage to equipment or in some cases, loss of life.This thesis looks at PLC security from an attacker?s perspective. That is, given logicalnetwork access, what will an attacker attempt to accomplish and how will he or she proceed? In order to answer these questions, and more, this thesis discusses techniques and tools that can be used to compromise a PLC. Studying PLC security in detail, this thesis include both theoretical and practical aspects of security in PLCs. In-depth security tests are performed on a widely used PLC; uncovering several critical security vulnerabilities, including a new XML parser vulnerability accompanied by a zero day exploit allowing the adversary to perform a DoS attack that completely disables the PLC, including communication capabilities. Other exploits are also developed and their consequences run the gamut from arbitrary code execution, file read/write permissions, installing customized firmware, to manipulating actuators. The research culminates in a set of python scripts, an exploit suite, implementing all the exploits developed. This thesis shows that an adversary with network access can perform devastating attacks with relative ease. In the hands of the wrong people, the weaponized exploit suite, can cause tremendous damage. Shutting down, or altering, an industrial process will in many cases have severe financial and/or safety consequences.