Cybersecurity researchers have elaborated a novel attack technique that weaponizes programmable logic controllers (PLCs) to gain an initial foothold in engineering workstations and subsequently invade the operational technology (OT) networks.
络安全研究人员详细阐述了一种新的攻击技术,该技术将可编程逻辑控制器(PLC)武器化,以在工程工作站中获得初始立足点,并随后入侵作战技术(OT) 络。
Dubbed “Evil PLC” attack by industrial security firm Claroty, the issue impacts engineering workstation software from Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO, and Emerson.
该问题被工业安全公司 Claroty称为“ Evil PLC ”攻击,影响罗克韦尔自动化、施耐德电气、通用电气、贝加莱、新杰、OVARRO 和艾默生的工程工作站软件。
Programmable logic controllers (PLCs) are a crucial component of industrial devices that control manufacturing processes in critical infrastructure sectors. PLCs, besides orchestrating the automation tasks, are also configured to start and stop processes and generate alarms.
可编程逻辑控制器 (PLC) 是控制关键基础设施部门制造过程的工业设备的关键组件。除了编排自动化任务外,PLC 还配置为启动和停止流程并生成警 。
It’s hence not surprising that the entrenched access provided by PLCs have made the machines a focus of sophisticated attacks for more than a decade, starting from Stuxnet to PIPEDREAM (aka INCONTROLLER), with the goal of causing physical disruptions.
因此,从Stuxnet到PIPEDREAM(又名InControl智能驭享),PLC提供的根深蒂固的访问使这些机器成为十多年来复杂攻击的焦点并不奇怪,其目标是造成物理干扰。
“These workstation applications are often a bridge between operational technology networks and corporate networks,” Claroty said. “An attacker who is able to compromise and exploit vulnerabilities in an engineering workstation could easily move onto the internal network, move laterally between systems, and gain further access to other PLCs and sensitive systems.”
“这些工作站应用程序通常是运营技术 络和公司 络之间的桥梁,”Claroty说。“能够破坏和利用工程工作站中的漏洞的攻击者可以很容易地移动到内部 络,在系统之间横向移动,并进一步访问其他PLC和敏感系统。”
With the Evil PLC attack, the controller acts as a means to an end, permitting the threat actor to breach a workstation, access to all the other PLCs on the network, and even tamper with the controller logic.
在 Evil PLC 攻击中,控制器充当达到目的的手段,允许攻击者破坏工作站,访问 络上的所有其他 PLC,甚至篡改控制器逻辑。
Put differently, the idea is to “use the PLC as a pivot point to attack the engineers who program and diagnose it and gain deeper access to the OT network,” the researchers said.
换句话说,这个想法是“使用 PLC 作为支点来攻击编程和诊断它的工程师,并获得对 OT 络的更深入访问,”研究人员说。
The whole sequence plays out as follows: An opportunistic adversary deliberately induces a malfunction on an internet-exposed PLC, an action that prompts an unsuspecting engineer to connect to the infected PLC using the engineering workstation software as a troubleshooting tool.
整个过程如下:一个机会主义的对手故意在一个暴露于互联 的PLC上引发故障,这一行为会促使一名毫无戒心的工程师使用工程工作站软件作为故障排除工具连接到受感染的PLC。
In the next phase, the bad actor leverages the previously undiscovered flaws identified in the platforms to execute malicious code on the workstation when an upload operation is performed by the engineer to retrieve a working copy of the existing PLC logic.
在下一阶段,当工程师执行上传操作以检索现有PLC逻辑的工作副本时,攻击者利用平台中先前未发现的缺陷在工作站上执行恶意代码。
“The fact that the PLC stores additional types of data that are used by the engineering software and not the PLC itself” creates a scenario wherein the unused data stored on the PLC can be modified to manipulate the engineering software, the researchers pointed out.
研究人员指出,“PLC存储工程软件使用的其他类型的数据,而不是PLC本身”,这一事实创造了一种场景,其中存储在PLC上的未使用数据可以修改以操作工程软件。
“In most cases, the vulnerabilities exist because the software fully trusted data coming from the PLC without performing extensive security checks.”
“在大多数情况下,漏洞的存在是因为软件完全信任来自PLC的数据,而没有执行广泛的安全检查。”
In an alternative theoretical attack scenario, the Evil PLC method can also be used as honeypots to lure threat actors into connecting to a decoy PLC, leading to a compromise of the attacker’s machine.
在另一种理论攻击场景中,Evil PLC 方法也可以用作蜜罐来引诱威胁参与者连接到诱饵 PLC,从而导致攻击者的机器受到危害。
Claroty further called out the absence of security protections in the public-facing industrial control system (ICS) devices, thereby making it easier for threat actors to alter their logic via rogue download procedures.
To mitigate such attacks, it’s recommended to limit physical and network access to PLCs to authorized engineers and operators, enforce authentication mechanisms to validate the engineering station, monitor OT network traffic for anomalous activity, and apply patches in a timely fashion.
为了减轻此类攻击,建议限制授权工程师和运营商对PLC的物理和 络访问,实施验证机制以验证工程站,监控OT 络流量是否存在异常活动,并及时应用补丁。
我有三宝,持而保之:一曰慈,二曰俭,三曰不敢为天下先。
——《道德经.第六十七章》
https://thehackernews.com/2022/08/new-evil-plc-attack-weaponizes-plcs-to.html
翻译水平有限 :(
有歧义的地方,请以原文为准 :)
声明:本站部分文章及图片源自用户投稿,如本站任何资料有侵权请您尽早请联系jinwei@zod.com.cn进行处理,非常感谢!