Security researchers from Germany have created a proof-of-concept malware that can hijack the systems used to automate crucial processes in critical infrastructure such as power plants without needing to first infect a computer to get to those systems.
Ralf Spenneberg and Maik Brüggeman, of security consultancy OpenSource Security Ralf Spenneberg have demonstrated a new malware that can spread like a cancer between default Siemens programmable logic controller (PLC) S7 1200 systems, causing havoc to important processes as well as making it incredibly difficult to detect and stop.
"Our worm is the first that can propagate through Siemens PLCs without support from PCs or any other system. Imagine a PLC is intercepted on the way to your plant, or by the vendor; there is little you could do to detect this and it would quickly spread throughout your plant," Spenneberg told The Register.
"We can create a denial of service, killing infected PLCs ... imagine this happening to a major plant."
A PLC is a type of digital computer armoured against severe weather conditions that is used to automate industrial electromechanical processes in power plants, water treatment facilities and even factories to make sure everything functions as it should, from the level of chemicals in water to the temperature of the furnaces used to convert coal to electricity, for example.
PLCs are crucial control systems
Prior to the 1990s, PLCs used programs that were stored on cassette tape cartridges, but today, PLCS are programmed using software on desktop PCs, and so hackers who want to hijack critical infrastructure have typically created malware that infected a PC, which then spread to the PLC controllers.
One example of this is the infamous Stuxnet worm, which compromised an Iranian power plant and was allegedly built by the US and Israel as a cyberweapon, and the only way to stop it spreading was to remove all infected PCs.
However, the proof-of-concept that the researchers have developed bypasses PCs and directly spreads to one PLC via software, and then spreads from one PLC to another by scanning the network for targets and replicating itself because all the PLCs come with Ethernet ports and are able to communicate with each other via IP address.
When the researchers set up a test power plant, they were able to successfully demonstrate and show that the worm could hop between various PLCs, causing LED lights to blink and then flicker out, all within the maximum cycle time of 150 milliseconds.
Their research, entitled "PLC-Blaster: A Worm Living Solely in the PLC" was first presented at the Black Hat Asia 2016 conference from 29 March to 1 April.