CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Internet Exposure, Flaws Put Industrial Safety Controllers at Risk of Attacks

Applied Risk details safety controller flaws at ICS Cyber Security Conference Singapore

Applied Risk details safety controller flaws at ICS Cyber Security Conference Singapore

SINGAPORE — SECURITYWEEK 2018 ICS CYBER SECURITY CONFERENCE | SINGAPORE — Researchers have discovered a potentially serious vulnerability in industrial safety controllers and a significant number of the impacted devices are directly exposed to the Internet, making it easy for malicious actors to launch attacks and possibly cause damage.

Safety systems are designed to prevent incidents in industrial environments by restoring processes to a safe state or shut them down if parameters indicate a potentially hazardous situation. While these devices play an important role in ensuring physical safety, they can and have been targeted by malicious hackers. The best example is the Triton/Trisis/Hatman attack, which leveraged a zero-day vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers.

Researchers at industrial cybersecurity firm Applied Risk have analyzed safety controllers from several major vendors, including Siemens, ABB, Rockwell Automation’s Allen Bradley, Pilz, and Phoenix Contact.

The research is ongoing, but they have identified a denial-of-service (DoS) flaw that may affect several products. Details of the vulnerability were disclosed on Wednesday at SecurityWeek’s ICS Cyber Security Conference in Singapore by Gjoko Krstic, senior ICS security researcher at Applied Risk.

The vulnerability allows a remote attacker to cause a safety controller to reboot and enter faulted mode. Manual intervention is required to restore the device, Krstic told SecurityWeek in an interview.

The security hole can be leveraged to cause the device to enter a DoS condition by sending it a specially crafted TCP packet. Specifically, the attack relies on EtherNet/IP, one of the most widely used industrial network protocols.

Applied Risk researchers discovered that an attacker can cause safety controllers to fail by sending them a TCP packet that starts with the No Operation (NOP) option. Experts determined that, for some reason, safety controllers cannot handle incorrect TCP options.

Krstic says there is no other requirement for the attack to work. An attacker with access to the targeted controller, either from the Internet or the local network, can cause the device to become inoperable simply by sending it a packet.

Advertisement. Scroll to continue reading.

An exploit has been tested by Applied Risk on Rockwell Automation’s Allen Bradley 1769 Compact GuardLogix 5370 controllers, but since the underlying issue is related to Ethernet/IP, researchers believe products from other vendors are likely affected as well.

All impacted vendors have been informed. Rockwell Automation, which has assigned CVE-2017-9312 to this vulnerability, is expected to release a patch and an advisory sometime in May.

Applied Risk has identified nearly a dozen Allen Bradley 1769 Compact GuardLogix 5370 controllers exposed directly to the Internet. However, the total number of safety controllers accessible from the Web is much higher. A Shodan search for the popular Siemens Simatic S7 devices, which include safety controllers, reveals nearly 900 results.

Given the significant role of safety controllers in industrial environments, causing a device to enter a DoS condition could have serious consequences, including physical damage to equipment and physical harm to people.

As the Triton/Trisis attack on Schneider Electric devices showed, writing malicious programs to a controller requires that the device’s key switch is set to “Program” mode. As part of its research into safety controllers, Applied Risk has been trying to find a way to remotely bypass the key switch and, while they have yet to succeed, experts are optimistic based on their progress so far.

Related: New SCADA Flaws Allow Ransomware, Other Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.