Hacking industrial processes with and undetectable PLC Rootkit

The security researcher Ali Abbasi, a Ph.D. candidate in the distributed and embedded system security group at University of Twente, Netherlands, and Majid Hashemi, an independent security researcher, have developed an undetectable PLC rootkit. The security duo will present the undetectable PLC rootkit at the upcoming Black Hat Europe, that will be held in London in November.

The security duo will also present a version of the PLC attack that leverages shellcode.  The title of the presentation if Ghost In The PLC: Designing An Undetectable Programmable Logic Controller Rootkit.

The researchers believe that their PLC rootkit could be dangerous more than Stuxnet because it is stealth and affects directly the PLC differently from Stuxnet that was designed to target SCADA systems running on Windows architecture.It’s much less likely to be discovered because it sits at the lower-level of the system.

The PLC rootkit was developed to compromise the low-level components of a PLC system, it could be considered a cross-platform PLC threat because it is able to infect PLC manufactured by almost any vendor.

“It’s a race to the bottom” Abbasi told DarkReading. “Everybody has access to higher-level [SCADA operations]. Attackers in the future will go to lower level assaults” such as this to evade detection, he says.

Hacking a PLC system directly could more simple for Vxers because such kind of devices don’t implement many detection mechanisms, this means that a PLC running a real-time operating system could me more exposed to cyber attacks.

In August, a group of researcher presented at the Black Hat USA presented a PLC worm that spreads among PLCs, it was dubbed by the creator PLC-Blaster.

Abbasi and Hashemi explained their PLC rootkit doesn’t target the PLC logic code like other similar threats making hard its detection.

Furthermore, the researchers explained that the activity of the PLC rootkit will go unnoticed even to systems that monitor the power consumption of the PLC.

“The overhead imposed of our attack outside of kernel is below one percent, which means even those approaches which monitor the power usage of PLC for attack detection will be useless,” explained Abbasi.

The malware interferes with the connection between PLC runtime and logic with the I/O peripherals. The malware resides in the dynamic memory of the industrial component and manipulates the I/O and PLC process, while the PLC is communicating with I/O block composed of output pins that handle the physical control of the process.

The PLC receives signals from the field from the input PINs (i.e. level of the liquid in a pipe) and controls the process through actuators that receive instructions from the output PINs of the PLC (i.e. control of a valve).

Clearly manipulating the I/O signals it is possible to interfere with industrial process in a stealthy way, and this is what the PLC rootkit does.

“Our attack instead targets the relation between PLC runtime and logic with the I/O peripherals of it. In our attack, the PLC logic and PLC runtime remain intact,” said Abbasi. ” “in PLCs, the I/O operations are one of the most important tasks.”

As explained by the duo, the attack is feasible due to lack of hardware interrupt on the PLC’s SoC and intensified by Pin Control subsystem inability for hardware level Pin Configuration detection.

Abbasi and Hashemi are currently studying defensive countermeasures to detect and protect PLCs from such kind of threats.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – PLC rootkit, hacking)