PLC-BLASTER: A WORM LIVING SOLELY IN THE PLC presented at BlackHatAsia 2016

by Ralf Spenneberg, Hendrik Schwartke, Maik Brueggemann,

Summary : We will present and demonstrate the first PLC only worm. Our PLC worm will scan and compromise Siemens Simatic S7-1200 PLCs Version 1 through 3 without any external support. No PCs or additional hardware is required. The worm is fully self-contained and "lives" only on the PLC. Siemens S7-1200 PLCs offer different protection features. The access protection prevents the worm from compromising the the PLC. To our knowledge, this is the first time such a worm is publicly shown.
The Siemens Simatic PLCs are managed using a proprietary Siemens protocol. Using this protocol, the PLC may be stopped, started and diagnostic information may be read. Futhermore, this protocol is used to upload and download user programs to the PLC. The older S7-300 and S7-400 PLCs are supported by several OpenSource solutions, like snap7, supporting the protocols used on these older PLCs. These solutions have already been used to misuse PLCs for attacking purposes (Klick and Lau, Black Hat USA 2015). With the introduction of the S7-1200 the protocol has been replaced by a new version not yet publicly analyzed. We inspected the protocol based on the S7-1200v3 and implemented the protocol by ourselves in our ICShell. We are now able to install and extract any user program on these PLCs. These newest extensions to the ICShell have not been published yet.
Based on this work, we developed a PLC program which scans a local network for other S7-1200 PLCs. Once these are found the program compromises these PLCs by uploading itself to these devices. The already installed user software is not removed and still running on the PLC. Our malware attaches itself to the original software and runs in parallel to the original user program. The operator does not notice any changed behavior. We developed the first PLC only worm.
The worm is only written using the programming language SCL and does not need any additional support. For the remote administration of the compromised PLCs, we implemented a Command,Control (C,C) server. Infected PLCs automatically contact the C,C server and may be remotely controlled using this connection. Using this connection, we can manipulate any physical input or output of the PLC. An additional proxy function enables us to access any additional system using a tunnel. Lastly, the Stop mode may be initiated through the C,C connection requiring a cold restart of the PLC by disconnecting the power supply to recover. We will demonstrate the attack during our talk.
Our worm prevents its detection and analysis. If the operator connects to the PLC using the programming software TIA Portal 11, the operator may notice unnamed additional function blocks. But, when accessing these blocks the TIA Portal crashes preventing the forensic analysis.
The infection of the PLC takes roughly 10 seconds. While the infection is in progress the PLC is in Stop mode. As soon as the infection has succeeded, the PLC undergoes a warm restart and the worm is running additionally to to the original user program.
Our worm malware requires 38,5kb RAM and 216,6kb persistent memory. If the PLC does not offer the memory required by the original user software including our worm, it may overwrite the original user program. Based on the actually used model of the S7-1200 different setups may be required.
Model:Available RAM (used by worm):Available persistent memory (used by worm)
S7-1211:50kb (77%):1Mb (21%)
S7-1212:75kb (51%):1MB (5 %)
S7-1214:100kb (38%):4MB (5 %)
S7-1215:125kb (30%):4MB (5 %)
S7-1217:150kb (25%):4MB (5 %)
A critical requirement for the execution of a PLC program is the cycle time for one full cycle of the user program. Our malware requires 7ms per cycle. This is just 4.7% of the maximum cycle time configured by default on the PLC models we inspected. The original user program still has plenty of time to run.
By default, all Siemens Simatic S7-1200 v1-3 are susceptible to this attack. The PLC user programs may be uploaded and downloaded without any restriction. The Siemens Simatic PLCs support several protection mechanisms. We will explain these mechanisms and their result on the attack.
Siemens PLCs support several protection features including the access protection. The access protection does prevent the attack we will demonstrate. The access protection is disabled by default.
With the introduction of the S7-1200v4 Siemens introduced again a new protocol. These PLCs are not susceptible to the attack.
While we present an attack via the ethernet interface the installation of the user program can also happen using the field bus interface. Using this interface even PLCs not connected to the ethernet network may be compromised. Once the first PLC is infected using the Ethernet, all other PLCs connected via the same field bus would be compromised as well.
This talk emphasizes the significance of the built in protection features in modern PLCs and their correct deployment by the user.