What are the major Cyber-attacks on various Programmable Logic Controllers Manufacturers?

In the digital era, it is very important to make sure the large and abundant network should be threat-free from cyber prone attacks. Unauthorized access to your Industrial Control System (ICS) can lead to damage to the system, data theft, monitory loss, or even affects the reputation of a company.

What is Cyber-attack in PLC?

It is an attack to disable, steal data, or launch additional attacks by exploiting flaws/bugs or vulnerabilities of a system. This could be done by various methods such as Phishing, Malware, Ransomware, DoS, etc.

What is Phishing?

It is a social engineering cyber-attack. Social engineering is referred to as a usual term used to mention various attempts to take down the system. During this attack, the cyber-criminals send messages like to be a trusted person or entity. Phishing links are used to manipulate the user and if the user clicks or opens this malicious link, the attackers will have all the power to control your system.

What is a Malware attack?

Malware is a term that is used to refer to all types of malicious software designed to exploit or harm any programmable devices, networks, or services. Cyber-criminals use it for data extraction. this data could be financial data, healthcare, or even personal data such as emails, credit cards, passwords, etc.

What is DoS?

DoS (Denial-of-Service attack) is a type of cyber-attack that is used to interrupt the normal functioning of a device. DoS attack could be done either by overwhelming or flooding a targeted device with lots of requests until the machine is interrupted to perform a normal function.

A distributed denial-of-service (DDoS) attack is a type of DoS attack.

How does a DoS attack work?

The main focus of a DoS attack is to overfill the capacity of a targeted machine.

DoS attacks are typically classified into 2 categories:

  • Buffer overflow attacks
  • Flood attacks

Buffer overflow attacks

It is a type of attack which causes the machine to use all the resources they have such as hard disk space, CPU, memory, etc. This leads the system into sluggish behavior, crash, other weird server behavior, etc.

Flood attacks

A malicious actor can oversaturate server capacity by flooding a targeted server with an immense number of packets, resulting in a denial of service. The malicious actor must have more available bandwidth than the target in order for most DoS flood attacks to succeed.

Also read: What is Industrial Automation and What are its Components?

List of Cyber Security Attacks

Major cyber-attacks faced by various PLC companies

Here we are discussing various cyber-attacks faced by PLC manufacturers

Attacks faced by Allen Bradley

Allen Bradley is a factory automation equipment manufacturer from the USA. The cyber-attacks and vulnerabilities faced by Allen Bradley are:

  • LogicLocker
  • CVE-2017-7898
  • CVE-2017-7903
  • CVE-2016-5645

LogicLocker

It is a cross-vendor Ransomware worm that mainly affects Allen Bradley’s MicroLogix 1400 PLC. The malware affects the water treatment plant. Attackers could show false readings, shut-valves, change chlorine release to poisonous level by using this ransomware. As of 2017, around 1400 PLCs were affected by this ransomware.

LogicLocker attacking Style

This attack employs the following five stages

  • Initial infection
  • Horizontal and Vertical movement
  • Locking
  • Encryption
  • Negotiation

Initial infection:

Initial infection takes place by sending email attachment that contains malicious data. When an employee opens or clicks this attachment, the attackers will have the authority of the system.

Horizontal and Vertical movement:

Depending on the capabilities of the PLC, horizontal or vertical movement from the PLC to the corporate network can be accomplished.

Locking :

The next stage of the attack is referred to as Locking. Just like the name implies, the attackers prevent the authorized users from accessing the device. Attackers can achieve this by various methods such as changing passwords, locking OEM, changing IP ports of PLC, etc.

Encryption :

After the locking method, the cybercriminals encrypted data with secret hash keys. After the encryption, authorized/legitimate can see or access the data in your system. We can access the data after providing the decrypted data.

Negotiations :

This step is carried out between the attacker and the victim in order to restore service. Some PLCs, like the MicroLogix 1400 PLC utilized in the proof-of-concept assault, include an email capability that can be exploited to transmit the ransom message.

CVE-2017-7898:

This attack is considered as one of the worst attacks ever faced by Allen-Bradley’s system. Due to this bug, anyone can access the system by entering even a wrong password. This could help the attackers to enter the webserver of the login page, which allows brute force attacks.

CVE-2017-7903

The CVE-2017-7903 flaw has occurred because the developer protected the web interface by numeric password with a very short maximum length. Users can’t make alpha-numerical passwords due to this protection. The requirement for a weak password can make brute-force attacks considerably easier to launch.

CVE-2016-5645

Cisco Talos has issued a security advisory on the vulnerability, which is labeled CVE-2016-5645. Malicious people can take complete control of the devices because of this flaw. In Europe, Asia, and the United States, these logic controllers are used in a variety of vital sectors. Manufacturing companies, water, wastewater, and chemical plants are all impacted, and the problem’s consequences might be catastrophic. The root of the problem is an undocumented SNMP (Simple Network Management Protocol) string in the devices’ default configuration.

Affected versions:

Versions 1766-L32BWA, 1766-AWA, 1766-L32BXB, 1766-BWAA, 1766-L32AWAA, AND 1766-L32BXBA of the MicroLogix 1400 PLC system are vulnerable, according to Rockwell.

Attacks faced by Schneider Electric:

Schneider is a French multinational PLC manufacturer. It addresses homes, buildings, data centers, industries, etc. Here we are looking at various attacks faced by a French company.

Attacks faced by Schneider Electric are:

  • Triton
  • LogicLocker

Triton

This attack was held in the year 2017 that led the plant to a halt. Fortunately, the plant operator prevented the hackers before they could do something really bad. This malware lets the hackers take over the control of the plant remotely. The consequences would have been terrible if the intruders disabled or tampered with the equipment.

LogicLocker

It is referred to as a cross-vendor ransomware worm that affects various Schneider models such as Modicon M241 and M221 models. The malware affects the water treatment plant. As of 2017, around 1400 PLCs were affected by this ransomware.

Attacks faced by Siemens PLC

Siemens is a German-based industrial manufacturing company. The attacks faced by German multinational conglomerates are

  • Stuxnet
  • CVE-20140-8551

Stuxnet

Stuxnet is a computer malware that is designed to attack the nuclear facilities of Iran. It was first reported in 2010. It is referred to as the first malware which is capable of crippling hardware. Stuxnet targets the supervisory control and data acquisition (SCADA) systems of Siemens.

CVE-20140-8551

The Department of Homeland Security’s ICS-CERT (industrial control systems cyber emergency response team) has issued a warning about two vulnerabilities in its WinCC application, which is popular in industrial facilities such as chemical plants.

Other Siemens software that uses WinCC is affected by the flaws, including SIMATIC PCS7 and TIA Portal, two independent Siemens SCADA products.

Attacks faced by Omron PLC

Omron Corporation is an electronics manufacturing company headquartered in Kyoto, Japan. Omron was founded in 1933.

Various cyber-attacks faced by Omron are:

  • Authentication Bypass by Capture-replay
  • Improper Restriction of Excessive Authentication Attempts

Authentication Bypass by Capture-replay

EUVDB-ID: #VU23585

It is a high-risk security issue faced by Omron. The security flaw allows bypassing authentication on the target system remotely.

Because of the FINS communication packet between a controller and a PLC, the vulnerability exists. This might be monitored and also there is a chance for cyber-attack using commands. An attacker can either open or close the industrial valves of a factory by exploiting this error, even remotely.

Vulnerable software versions

Omron PLC CS series: All versions

Omron PLC CJ series: All versions

Improper Restriction of Excessive Authentication Attempts

EUVDB-ID: #VU23583

It is a medium-risk vulnerability. By exploiting this vulnerability, a remote attacker can gain access to the system.

This vulnerability exists in the FTP function. This vulnerability is due to the affected software does not take adequate precautions to prevent multiple failed authentication attempts in a short period of time. By exploiting this vulnerability, a cyber-criminal can do brute-force authentication attacks and able to gain access to the target system.

Affected Versions: Omron PLC NJ series: All versions

Attacks faced by Honeywell

Honeywell, a manufacturer of aerospace and energy equipment, was reportedly subjected to a cyber-attack in the form of a malware intrusion, which disrupted some of its information technology systems.

Cyber-attacks faced by Honeywell are

  • Arbitrary file upload
  • Downstream Component
  • Path Traversal

Arbitrary file upload

EUVDB-ID: #VU57088

It is a very high-risk vulnerability. By exploiting this vulnerability, a remote attacker can gain access to the system.

This vulnerability is happened due to the failure of sufficient validation of a file while uploading. Through this flaw/vulnerability, an attacker can upload the malicious file and execute it on the server, and can control the entire device.

Downstream Component

This vulnerability is called Improper Neutralization of Special Elements in Output Used by a Downstream Component

EUVDB-ID: #VU57089

It’s also a high-risk vulnerability. Because of improper neutralization of special elements in the output, the vulnerability exists. A remote attacker has the ability to execute arbitrary code on the target system.

By exploiting this flaw, an attacker can successfully take the control of the entire system.

Path Traversal

EUVDB-ID: #VU57090

This flaw is occurred because of the validation of an input error while processing travel sequences in the directory. An attacker can send specially created HTTP requests and be able to read the system’s arbitrary file.

Vulnerable software versions

Experion Process Knowledge System C200: All versions

Experion Process Knowledge System C200E: All versions

Could you make an article about ransomware ? Is it applicable to Industrial Automation, PLC Programming, scada & Pid Control System ?