In the digital era, it is very important to make sure the large and abundant network should be threat-free from cyber prone attacks. Unauthorized access to your Industrial Control System (ICS) can lead to damage to the system, data theft, monitory loss, or even affects the reputation of a company.
What is Cyber-attack in PLC?
It is an attack to disable, steal data, or launch additional attacks by exploiting flaws/bugs or vulnerabilities of a system. This could be done by various methods such as Phishing, Malware, Ransomware, DoS, etc.
What is Phishing?
It is a social engineering cyber-attack. Social engineering is referred to as a usual term used to mention various attempts to take down the system. During this attack, the cyber-criminals send messages like to be a trusted person or entity. Phishing links are used to manipulate the user and if the user clicks or opens this malicious link, the attackers will have all the power to control your system.
What is a Malware attack?
Malware is a term that is used to refer to all types of malicious software designed to exploit or harm any programmable devices, networks, or services. Cyber-criminals use it for data extraction. this data could be financial data, healthcare, or even personal data such as emails, credit cards, passwords, etc.
What is DoS?
DoS (Denial-of-Service attack) is a type of cyber-attack that is used to interrupt the normal functioning of a device. DoS attack could be done either by overwhelming or flooding a targeted device with lots of requests until the machine is interrupted to perform a normal function.
A distributed denial-of-service (DDoS) attack is a type of DoS attack.
How does a DoS attack work?
The main focus of a DoS attack is to overfill the capacity of a targeted machine.
DoS attacks are typically classified into 2 categories:
- Buffer overflow attacks
- Flood attacks
Buffer overflow attacks
It is a type of attack which causes the machine to use all the resources they have such as hard disk space, CPU, memory, etc. This leads the system into sluggish behavior, crash, other weird server behavior, etc.
Flood attacks
A malicious actor can oversaturate server capacity by flooding a targeted server with an immense number of packets, resulting in a denial of service. The malicious actor must have more available bandwidth than the target in order for most DoS flood attacks to succeed.
Also read: What is Industrial Automation and What are its Components?
List of Cyber Security Attacks
Major cyber-attacks faced by various PLC companies
Here we are discussing various cyber-attacks faced by PLC manufacturers
Attacks faced by Allen Bradley
Allen Bradley is a factory automation equipment manufacturer from the USA. The cyber-attacks and vulnerabilities faced by Allen Bradley are:
- LogicLocker
- CVE-2017-7898
- CVE-2017-7903
- CVE-2016-5645
LogicLocker
It is a cross-vendor Ransomware worm that mainly affects Allen Bradley’s MicroLogix 1400 PLC. The malware affects the water treatment plant. Attackers could show false readings, shut-valves, change chlorine release to poisonous level by using this ransomware. As of 2017, around 1400 PLCs were affected by this ransomware.
LogicLocker attacking Style
This attack employs the following five stages
- Initial infection
- Horizontal and Vertical movement
- Locking
- Encryption
- Negotiation
Initial infection:
Initial infection takes place by sending email attachment that contains malicious data. When an employee opens or clicks this attachment, the attackers will have the authority of the system.
Horizontal and Vertical movement:
Depending on the capabilities of the PLC, horizontal or vertical movement from the PLC to the corporate network can be accomplished.
Locking :
The next stage of the attack is referred to as Locking. Just like the name implies, the attackers prevent the authorized users from accessing the device. Attackers can achieve this by various methods such as changing passwords, locking OEM, changing IP ports of PLC, etc.
Encryption :
After the locking method, the cybercriminals encrypted data with secret hash keys. After the encryption, authorized/legitimate can see or access the data in your system. We can access the data after providing the decrypted data.
Negotiations :
This step is carried out between the attacker and the victim in order to restore service. Some PLCs, like the MicroLogix 1400 PLC utilized in the proof-of-concept assault, include an email capability that can be exploited to transmit the ransom message.
CVE-2017-7898:
This attack is considered as one of the worst attacks ever faced by Allen-Bradley’s system. Due to this bug, anyone can access the system by entering even a wrong password. This could help the attackers to enter the webserver of the login page, which allows brute force attacks.
CVE-2017-7903
The CVE-2017-7903 flaw has occurred because the developer protected the web interface by numeric password with a very short maximum length. Users can’t make alpha-numerical passwords due to this protection. The requirement for a weak password can make brute-force attacks considerably easier to launch.
CVE-2016-5645
Cisco Talos has issued a security advisory on the vulnerability, which is labeled CVE-2016-5645. Malicious people can take complete control of the devices because of this flaw. In Europe, Asia, and the United States, these logic controllers are used in a variety of vital sectors. Manufacturing companies, water, wastewater, and chemical plants are all impacted, and the problem’s consequences might be catastrophic. The root of the problem is an undocumented SNMP (Simple Network Management Protocol) string in the devices’ default configuration.
Affected versions:
Versions 1766-L32BWA, 1766-AWA, 1766-L32BXB, 1766-BWAA, 1766-L32AWAA, AND 1766-L32BXBA of the MicroLogix 1400 PLC system are vulnerable, according to Rockwell.
Attacks faced by Schneider Electric:
Schneider is a French multinational PLC manufacturer. It addresses homes, buildings, data centers, industries, etc. Here we are looking at various attacks faced by a French company.
Attacks faced by Schneider Electric are:
- Triton
- LogicLocker
Triton
This attack was held in the year 2017 that led the plant to a halt. Fortunately, the plant operator prevented the hackers before they could do something really bad. This malware lets the hackers take over the control of the plant remotely. The consequences would have been terrible if the intruders disabled or tampered with the equipment.
LogicLocker
It is referred to as a cross-vendor ransomware worm that affects various Schneider models such as Modicon M241 and M221 models. The malware affects the water treatment plant. As of 2017, around 1400 PLCs were affected by this ransomware.
Attacks faced by Siemens PLC
Siemens is a German-based industrial manufacturing company. The attacks faced by German multinational conglomerates are
- Stuxnet
- CVE-20140-8551
Stuxnet
Stuxnet is a computer malware that is designed to attack the nuclear facilities of Iran. It was first reported in 2010. It is referred to as the first malware which is capable of crippling hardware. Stuxnet targets the supervisory control and data acquisition (SCADA) systems of Siemens.
CVE-20140-8551
The Department of Homeland Security’s ICS-CERT (industrial control systems cyber emergency response team) has issued a warning about two vulnerabilities in its WinCC application, which is popular in industrial facilities such as chemical plants.
Other Siemens software that uses WinCC is affected by the flaws, including SIMATIC PCS7 and TIA Portal, two independent Siemens SCADA products.
Attacks faced by Omron PLC
Omron Corporation is an electronics manufacturing company headquartered in Kyoto, Japan. Omron was founded in 1933.
Various cyber-attacks faced by Omron are:
- Authentication Bypass by Capture-replay
- Improper Restriction of Excessive Authentication Attempts
Authentication Bypass by Capture-replay
EUVDB-ID: #VU23585
It is a high-risk security issue faced by Omron. The security flaw allows bypassing authentication on the target system remotely.
Because of the FINS communication packet between a controller and a PLC, the vulnerability exists. This might be monitored and also there is a chance for cyber-attack using commands. An attacker can either open or close the industrial valves of a factory by exploiting this error, even remotely.
Vulnerable software versions
Omron PLC CS series: All versions
Omron PLC CJ series: All versions
Improper Restriction of Excessive Authentication Attempts
EUVDB-ID: #VU23583
It is a medium-risk vulnerability. By exploiting this vulnerability, a remote attacker can gain access to the system.
This vulnerability exists in the FTP function. This vulnerability is due to the affected software does not take adequate precautions to prevent multiple failed authentication attempts in a short period of time. By exploiting this vulnerability, a cyber-criminal can do brute-force authentication attacks and able to gain access to the target system.
Affected Versions: Omron PLC NJ series: All versions
Attacks faced by Honeywell
Honeywell, a manufacturer of aerospace and energy equipment, was reportedly subjected to a cyber-attack in the form of a malware intrusion, which disrupted some of its information technology systems.
Cyber-attacks faced by Honeywell are
- Arbitrary file upload
- Downstream Component
- Path Traversal
Arbitrary file upload
EUVDB-ID: #VU57088
It is a very high-risk vulnerability. By exploiting this vulnerability, a remote attacker can gain access to the system.
This vulnerability is happened due to the failure of sufficient validation of a file while uploading. Through this flaw/vulnerability, an attacker can upload the malicious file and execute it on the server, and can control the entire device.
Downstream Component
This vulnerability is called Improper Neutralization of Special Elements in Output Used by a Downstream Component
EUVDB-ID: #VU57089
It’s also a high-risk vulnerability. Because of improper neutralization of special elements in the output, the vulnerability exists. A remote attacker has the ability to execute arbitrary code on the target system.
By exploiting this flaw, an attacker can successfully take the control of the entire system.
Path Traversal
EUVDB-ID: #VU57090
This flaw is occurred because of the validation of an input error while processing travel sequences in the directory. An attacker can send specially created HTTP requests and be able to read the system’s arbitrary file.
Vulnerable software versions
Experion Process Knowledge System C200: All versions
Experion Process Knowledge System C200E: All versions