Connect with us

Hi, what are you looking for?



Hackers Can Abuse Legitimate Features to Hijack Industrial Controllers

Hackers can abuse legitimate features present in industrial controllers to hijack these devices and leverage them to gain a foothold in a network, a researcher warns.

Hackers can abuse legitimate features present in industrial controllers to hijack these devices and leverage them to gain a foothold in a network, a researcher warns.

Programmable logic controllers (PLCs) allow users to control and monitor physical processes in industrial environments. While these types of devices are known to have vulnerabilities, including ones that could be leveraged to create a dangerous worm, researchers have shown in the past that malicious actors may also be able to abuse legitimate PLC features to achieve their goals.

Roee Stark, a senior software engineer at industrial cybersecurity firm Indegy, has now demonstrated another type of attack that only leverages legitimate features. The expert has analyzed PLCs made by Rockwell Automation and found that certain Common Industrial Protocol (CIP) commands can be abused for malicious purposes.

“The cip commands in question are any commands relating to the cip socket object,” Stark told SecurityWeek in an email interview. “The socket object exposes a well known interface that allows its user to send and receive TCP or UDP traffic with minimal limitations. The socket interface is very robust and one can cause a controller to collect reconnaissance, exfiltrate data and even carry out attacks using known vulnerabilities. The 2nd feature involves cip’s advanced routing capabilities. It’s possible to cause a cip controller to forward cip requests that are encapsulated using various protocols (Ethernet/IP, ControlNet, DH+ etc.). This can be used to allow unauthorized access to networks that otherwise might be inaccessible to an attacker from a remote network.”

The attacks can be launched against any controller that supports these socket commands as long as the attacker has network access to the targeted PLC, the expert said.

However, he noted that the method leverages specific CIP commands and features and not the CIP protocol itself. The abused capabilities are documented, but not very well known.

Learn More About ICS Attacks at SecurityWeek’s 2019 ICS Cyber Security Conference

Advertisement. Scroll to continue reading.

These types of attacks pose a risk not only to PLCs – the attacker can hijack any endpoint on the compromised network, including IT and industrial devices.

“Let’s assume there’s a SCADA control center that’s connected to the internet where there’s a controller that reads data from a controller on the production floor (with no internet connection) using ControlNet,” Stark explained. “If an attacker has access to the controller in the SCADA center, be it from the local network or via the internet, the attacker can identify the ControlNet connection and using a complex path gain access to the other controllers on the production floor. With access to the controller, the attacker can collect information by triggering various queries and scans using the socket interface. Once an endpoint is discovered, there’s nothing preventing the attacker from gaining access to it.”

CIP attack against PLC

Stark told SecurityWeek there is no evidence that this technique has been abused for malicious purposes, but warns that these types of weaknesses are more problematic than actual vulnerabilities as they cannot be easily addressed with a patch that has minimal impact. However, there are steps that the vendor and users can take to prevent potential attacks.

“The main problem is the lack of authentication,” Stark said. “If only authorized parties were allowed to execute these commands, it would make exploiting them much more difficult. Furthermore, there should be some sort of route whitelist so that forwarding packets via a complex path is much more controlled. There is also a huge blind spot with regard to these features, so better visibility is required to detect if someone unauthorized is using them.

“As for users, practicing proper network hygiene and monitoring activity will make it a lot more difficult for an attacker to remain undetected. This is not a security vulnerability, but rather the exploitation of a product’s intended capabilities,” he added.

Researchers have previously disclosed actual vulnerabilities in Rockwell Automation products that could have been exploited using CIP messages.

Related: Flaw in Schneider PLC Allows Significant Disruption to ICS

Related: PLCs From Several Vendors Vulnerable to Replay Attacks

Related: Severe Vulnerabilities Expose MicroLogix PLCs to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...