Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Network DoS Attack on PLCs Can Disrupt Physical Processes

A team of researchers has demonstrated an interesting type of denial-of-service (DoS) attack on programmable logic controllers (PLCs), where network flooding can lead to the disruption of the physical process controlled by the device.

A team of researchers has demonstrated an interesting type of denial-of-service (DoS) attack on programmable logic controllers (PLCs), where network flooding can lead to the disruption of the physical process controlled by the device.

A paper titled “You Snooze, You Lose: Measuring PLC Cycle Times Under Attacks” was published last year by a group of researchers from the German universities Hochschule Augsburg and Freie Universität Berlin. The ICS-CERT agency in the United States this week published an advisory showing what each impacted vendor said or did in response to the flaw.

The security hole, tracked as CVE-2019-10953, has been classified as “high severity” (CVSS score of 7.5) — industrial cybersecurity professionals have often warned that DoS attacks have a much higher impact in the case of industrial systems compared to IT systems.

PLC vulnerable to DoS attackThe attack targets the cycle time of a PLC. A PLC runs in four phases in a loop: it reads inputs (e.g., sensors), it executes its program, it performs diagnostics and communication tasks, and it writes outputs. The time it takes to execute this loop is called the cycle time, which is typically between 1 and 10 milliseconds.

The researchers have demonstrated that specially crafted network traffic aimed at a PLC can influence this timing, which can cause disruptions to the real-world physical process controlled by the PLC.

“The PLCs react very different, some completely stopped updating their outputs, others slowed down,” Matthias Niedermaier, one of the Hochschule Augsburg researchers involved in this project, told SecurityWeek.

Learn More About ICS Flaws at SecurityWeek’s 2019 ICS Cyber Security Conference

Other researchers previously theorized that network traffic can influence the processes controlled by industrial control systems (ICS) and the experiments conducted by the Hochschule Augsburg and Freie Universität Berlin experts on 16 devices from six vendors have demonstrated it to work in practice. They noted that the attacks were conducted — as much as possible — against PLCs running with default configurations.

An attack can be launched either from the internet (if the targeted device is exposed to the internet) or from a compromised device on the same network as the targeted PLC (including another PLC). The experts pointed out that the attacker does not need to have specific knowledge of the actual process controlled by the PLC or the program running on it.

Advertisement. Scroll to continue reading.

This type of DoS attack is interesting because although it’s aimed at the network side of the PLC, it actually targets the electrical side (i.e., the process controlled by the PLC) and not the network connectivity.

Only one of the tested devices did not appear to be vulnerable to network flooding attacks. However, only one vendor released actual patches.

The vendors whose products were tested are ABB, Phoenix Contact, Schneider Electric, Siemens, and WAGO. According to ICS-CERT, only Schneider Electric released patches for its Modicon M221 and EcoStruxure Machine Expert products. ABB said the attacks were possible due to the fact that its product was left in the default configuration during the attack, and Phoenix Contact said its newer products were not affected; the company is not releasing patches for the older products and advised customers to implement mitigations.

Siemens said this was not a vulnerability in its products, and WAGO said it was a known problem for some devices and recommended mitigations.

“Since almost all manufacturers are affected in some way, it was difficult to find a good solution here, and thus the process took a long time,” Niedermaier explained. “Personally, I believe that this topic requires further investigation by the manufacturer, as there is a feedback from network traffic to the real world physical process. We as researchers only have a few devices and cannot investigate the huge amount of PLCs.”

Related: Flaw in Schneider PLC Allows Significant Disruption to ICS

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.