Last Friday, Siemens published advisory SSA-434534 to urge customers running various PLCs to update to the latest software versions. A newly discovered vulnerability CVE-2020-15782 (CVSS score: 8.1) would allow an attacker to gain read and write access anywhere on the PLC, including deep in its kernel and remotely execute malicious code.
OT, ICS and PLC’s
The segment of OT related to Industrial Control Systems (ICS) contains numerous devices and protocols but one of its main components is the Programmable Logic Controller (PLC). The PLC is the device responsible for the safe and correct operation of physical processes using all sorts of inputs and outputs like heat sensors, pumps, servos, and other devices.
As a market leader, Siemens PLCs are regularly targeted by hackers. Some historical vulnerabilities included Stuxnet in 2010, allowing user-level code execution on the SIMATIC S7-300 and S7-400. This issue was resolved by applying both Microsoft OS updates and Siemens product updates.
About a decade later, the Rogue7 attack was able to hide code in user memory and inject any messages favorable to an attacker. Siemens issued SSA-232418 to provide mitigations. In 2019, Armis researchers disclosed the discovery of 11 zero-day vulnerabilities (URGENT/11) found in a third-party network communication software called IPnet embedded in the VxWorks RTOS, also affecting PLCs including Siemens running on the impacted software.
Memory Protection Bypass
Today’s remote attack represents another step forward and allowed Claroty to gain native code execution on Siemens S7 PLCs. Their attack targets the deep kernel and avoids detection by the operating system or diagnosis software because they were able to escape the user sandbox and write shellcode into protected memory regions. This is of course the ultimate goal for hackers.
Armis Line of Defense
Monitoring the integrity of PLC programs and detecting whether the program state has changed is often difficult to do. In a traditional enterprise environment, you can deploy security agents to monitor changes to processes, memory, and files. You can’t do this with PLCs due to resource limitations and limited or specialized functionality. Most built-in “security protections” on PLCs are also largely ineffective and easily bypassed.
A better method is to monitor commands sent to your PLCs using a network-based monitoring solution such as Armis. Some of the relevant commands we monitor include:
- PLC Configuration Change
- PLC Error
- PLC Firmware Change
- PLC Hardware Change
- PLC Mode Change
- PLC Reset
- PLC Started
- PLC Stopped
Organizations will want to monitor PLC device behavior, looking for anomalies. If an attacker somehow does penetrate your line of defense, the goal is to detect behavior that is out of the norm for that device. Below is an example of what an abnormal behavior policy may look like within Armis:
Armis provides the best possible defense by monitoring your devices, their communication channels, and looking for clues proactively ahead of any hacker attempts and with the Armis Standard Query language, you can easily search for vulnerable devices in your environment.