Patch Now and Attack Later - Exploiting S7 PLCs by Time-Of-Day Block

Abstract

Industrial control systems (ICSs) architecture consists of programmable logic controllers (PLCs) which communicate with an engineering station on one side, and control a certain physical process on the other side. Siemens PLCs, particularly S7-300 controllers, are widely used in industrial systems, and modern critical infrastructures heavily rely on them. But unfortunately, Security features are largely absent in such devices or ignored/disabled because security is often at odds with operations. As a consequence of the already reported vulnerabilities, it is possible to leverage PLCs and perhaps even the corporate IT network. In this paper we show such PLCs are vulnerable and demonstrate that exploiting the execution process of the logic program running in a PLC is feasible. We target the logic program by injecting a Time-of-Day (TOD) interrupt code, which interrupts the execution sequence of the logic control at a certain time the attacker wishes. This attack is the first work that allows external adversaries to patch their malicious codes once they access exposed PLCs, keeping their attack idle inside the infected device, and then activate the attack at later time without even being connected to the target at the attack date. In contrast to all previous works, this new approach opens the door entirely for attackers to compromise PLCs when they are offline at the point zero for the attack. For a real scenario, we implemented our attack on a real small industrial setting using S7-300 PLCs, and developed an already published tool called PLCinject to run our experiments. We finally suggest some potential mitigation approaches to secure systems against such threat.