A New Injection Threat on S7-1500 PLCs - Disrupting the Physical Process Offline

Abstract

Programmable Logic Controllers (PLCs) are increasingly connected and integrated into the Industrial Internet of Things (IIoT) for a better network connectivity and a more streamlined control process. But in fact, this brings also its security challenges and exposes them to various cyber-attacks targeting the physical process controlled by such devices. In this work, we investigate whether the newest S7 PLCs are vulnerable by design and can be exploited. In contrast to the typical control logic injection attacks existing in the research community, which require from adversaries to be online along the ongoing attack, this article introduces a new exploit strategy that aims at disrupting the physical process controlled by the infected PLC when adversaries are not connected neither to the target nor to its network at the point zero for the attack. Our exploit approach is comprised of two steps: 1) Patching the PLC with a malicious <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Time-of-Day</i> interrupt block once an attacker gains access to an exposed PLC, 2) Triggering the interrupt at a later time on the attacker will, when he is disconnected to the system’s network. For a real attack scenario, we implemented our attack approach on a Fischertechnik training system based on S7-1500 PLC using the latest version of S7CommPlus protocol. Our experimental results showed that we could keep the patched interrupt block in idle mode and hidden in the PLC memory for a long time without being revealed before being activated at the specific date and time that the attacker defined. Finally, we suggested some potential security recommendations to protect industrial environments from such a threat.