Abstract
Programmable Logic Controllers (PLCs) are increasingly connected and integrated into the Industrial Internet of Things (IIoT) for a better network connectivity and a more streamlined control process. But in fact, this brings also its security challenges and exposes them to various cyber-attacks targeting the physical process controlled by such devices. In this work, we investigate whether the newest S7 PLCs are vulnerable by design and can be exploited. In contrast to the typical control logic injection attacks existing in the research community, which require from adversaries to be online along the ongoing attack, this article introduces a new exploit strategy that aims at disrupting the physical process controlled by the infected PLC when adversaries are not connected neither to the target nor to its network at the point zero for the attack. Our exploit approach is comprised of two steps: 1) Patching the PLC with a malicious <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Time-of-Day</i> interrupt block once an attacker gains access to an exposed PLC, 2) Triggering the interrupt at a later time on the attacker will, when he is disconnected to the system’s network. For a real attack scenario, we implemented our attack approach on a Fischertechnik training system based on S7-1500 PLC using the latest version of S7CommPlus protocol. Our experimental results showed that we could keep the patched interrupt block in idle mode and hidden in the PLC memory for a long time without being revealed before being activated at the specific date and time that the attacker defined. Finally, we suggested some potential security recommendations to protect industrial environments from such a threat.
Highlights
Industrial Control Systems (ICSs) are used to automate critical control processes such as production lines, electrical power grids, oil and gas facilities, petrochemical plants, and others
Based on our analysis, we can conclude that when our patch is in idle mode, the execution cycle times of the infected program are almost as high as the execution times of the original program
WORK This paper presented a new threat on the newest SIMATIC Programmable Logic Controllers (PLCs)
Summary
Industrial Control Systems (ICSs) are used to automate critical control processes such as production lines, electrical power grids, oil and gas facilities, petrochemical plants, and others. It is not surprising that most of modern ICS environments are increasingly connected to corporate networks and no longer controlled/monitored on-site This higher connectivity has enlarged the attack surface, and brought its security challenges allowing attacks that were not existing in the times of the air-gapped industrial plants. Ronments are not fully protected against control logic injection attacks, and that these systems are still quite far from being completely secure To this end, we present a new attack strategy that allows malicious adversaries to disrupt the physical process controlled by PLCs offline i.e., without being connected to the target or to its network at the point zero for the attack. 1https://www.fischertechnikwebshop.com/de-DE/fischertechniklernfabrik-4-0-24v-komplettset-mit-sps-s7-1500-560840-de-de is network based, and can be successfully conducted by any attacker with network access to any S7-1500 PLC with a firmware V2.9.2 or lower
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call