Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Hackers Can Steal Data From Air-Gapped Industrial Networks via PLCs

Researchers have discovered a method that hackers could use to stealthily exfiltrate data from air-gapped industrial networks by manipulating the radio frequency (RF) signal emitted by programmable logic controllers (PLCs).

Researchers have discovered a method that hackers could use to stealthily exfiltrate data from air-gapped industrial networks by manipulating the radio frequency (RF) signal emitted by programmable logic controllers (PLCs).

Attackers may be able to plant a piece of malware on an isolated network, including via compromised update mechanisms or infected USB drives, but using that malware to send valuable data outside the organization poses its own challenges.

In the past few years, Israeli researchers have found several methods that can be used to jump the air gap, including via infrared cameras, scanners, the LEDs on routers and hard drives, heat emissions, radio signals, and the noise made by hard drives and fans. One of their proof-of-concept (PoC) malware, named AirHopper, uses electromagnetic signals emitted by a computer’s graphics card to send data to a nearby receiver.

Researchers at CyberX, a company that specializes in protecting industrial control systems (ICS), have found a way to apply a similar data exfiltration method to systems in air-gapped industrial networks. The method was first disclosed in October at SecurityWeek’s ICS Cyber Security Conference by CyberX VP of Research David Atch.

CyberX shows how malware can jump the air gap via PLCs

The technique relies on PLCs and the RF signals they emit. Tests were conducted using the popular Siemens S7-1200 PLC, but experts believe the attack likely works on PLCs from other vendors as well.

The exfiltration method discovered by CyberX does not leverage any vulnerabilities or design flaws in PLCs. Experts also noted that it does not involve any RF functionality in the device itself. Rather, the RF signals emitted by the device are a byproduct of repeatedly writing to the PLC’s memory in a specific way.

Researchers analyzed the radio waves from these systems and found that the frequency changes when data is written to the device’s memory. If an attacker can manipulate this frequency, they can use it to exfiltrate data bit by bit – a certain frequency represents a “0” bit and a different frequency represents a “1” bit. The signal can be captured by a nearby antenna and decoded using software-defined radio.

Writing to the PLC memory in a specific cycle that causes a modulation in the frequency of the RF signal can be achieved by uploading a specially crafted ladder diagram to the device. Ladder diagrams are created with ladder logic, a programing language used to develop software for PLCs.

Advertisement. Scroll to continue reading.

An attacker who has access to the targeted organization’s systems, specifically to its industrial controllers, can upload a malicious ladder diagram to a PLC and abuse it to exfiltrate sensitive data.

In the tests it conducted, CyberX managed to transmit data at a rate of 1 bit per second over a distance of roughly 1 meter (3 feet) with an off-the-shelf antenna. However, experts believe the distance can be increased using a higher quality antenna, and improvements made to signal processing algorithms can help increase the speed of the transmission.

The exfiltrated data can be captured using various methods, such as an antenna attached to a drone flying over the site, or by an adversary posing as cleaning staff and carrying an antenna in their pocket.

While the data exfiltration rate may seem very slow, experts believe the method can be useful for stealing small pieces of information typically collected in the reconnaissance phase of an attack launched by a sophisticated threat actor, including network topology, protocols and devices, intellectual property stored in HMIs and historians, and work schedules.

Researchers warned that these types of attacks are typically difficult to detect due to the fact that there aren’t any security solutions running on PLCs. Furthermore, once a device has been compromised, the malicious code persists for an extended period of time since they are rarely formatted.

“Organizations can prevent these types of attacks with continuous monitoring and behavioral anomaly detection,” Atch told SecurityWeek. “For example, this would immediately detect the cyber reconnaissance phase preceding data exfiltration — such as devices scanning the network and querying devices for configuration information — as well as unauthorized updates to PLC ladder logic code to deploy the specially-crafted code to generate encoded RF signals.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.