A team of researchers has demonstrated an interesting type of denial-of-service (DoS) attack on programmable logic controllers (PLCs), where network flooding can lead to the disruption of the physical process controlled by the device.
A paper titled “You Snooze, You Lose: Measuring PLC Cycle Times Under Attacks” was published last year by a group of researchers from the German universities Hochschule Augsburg and Freie Universität Berlin. The ICS-CERT agency in the United States this week published an advisory showing what each impacted vendor said or did in response to the flaw.
The security hole, tracked as CVE-2019-10953, has been classified as “high severity” (CVSS score of 7.5) — industrial cybersecurity professionals have often warned that DoS attacks have a much higher impact in the case of industrial systems compared to IT systems.
The attack targets the cycle time of a PLC. A PLC runs in four phases in a loop: it reads inputs (e.g., sensors), it executes its program, it performs diagnostics and communication tasks, and it writes outputs. The time it takes to execute this loop is called the cycle time, which is typically between 1 and 10 milliseconds.
The researchers have demonstrated that specially crafted network traffic aimed at a PLC can influence this timing, which can cause disruptions to the real-world physical process controlled by the PLC.
“The PLCs react very different, some completely stopped updating their outputs, others slowed down,” Matthias Niedermaier, one of the Hochschule Augsburg researchers involved in this project, told SecurityWeek.
Other researchers previously theorized that network traffic can influence the processes controlled by industrial control systems (ICS) and the experiments conducted by the Hochschule Augsburg and Freie Universität Berlin experts on 16 devices from six vendors have demonstrated it to work in practice. They noted that the attacks were conducted — as much as possible — against PLCs running with default configurations.
An attack can be launched either from the internet (if the targeted device is exposed to the internet) or from a compromised device on the same network as the targeted PLC (including another PLC). The experts pointed out that the attacker does not need to have specific knowledge of the actual process controlled by the PLC or the program running on it.
This type of DoS attack is interesting because although it’s aimed at the network side of the PLC, it actually targets the electrical side (i.e., the process controlled by the PLC) and not the network connectivity.
Only one of the tested devices did not appear to be vulnerable to network flooding attacks. However, only one vendor released actual patches.
The vendors whose products were tested are ABB, Phoenix Contact, Schneider Electric, Siemens, and WAGO. According to ICS-CERT, only Schneider Electric released patches for its Modicon M221 and EcoStruxure Machine Expert products. ABB said the attacks were possible due to the fact that its product was left in the default configuration during the attack, and Phoenix Contact said its newer products were not affected; the company is not releasing patches for the older products and advised customers to implement mitigations.
Siemens said this was not a vulnerability in its products, and WAGO said it was a known problem for some devices and recommended mitigations.
“Since almost all manufacturers are affected in some way, it was difficult to find a good solution here, and thus the process took a long time,” Niedermaier explained. “Personally, I believe that this topic requires further investigation by the manufacturer, as there is a feedback from network traffic to the real world physical process. We as researchers only have a few devices and cannot investigate the huge amount of PLCs.”