Researcher Ralph Langer says that he will use a presentation at an upcoming security conference in Washington D.C. to demonstrate a crippling attack on Siemens S7 (Step 7) Programmable Logic Controllers using the free Metasploit penetration testing tool.
Writing on his blog, Langner said that the attack he will demonstrate will be similar to one he outlined in July – a generic attack against Siemens S7 Programmable Logic Controllers and modeled after an attack used in the Stuxnet worm. The attack, if successful, could cause industrial machinery controlled by S7 PLCs to “run wild.” It would also lower the bar for attacking industrial control systems, giving low-skilled hackers a point and click attack using Metasploit.
Langner said he will demonstrate the attack on Sept. 20 at the 2011 ICS Cyber Security Conference in Washington, D.C. The show is hosted by Applied Control Solutions (ACS). Langer said the demonstration will leverage a Metasploit module written to automate a small, efficient attack against Siemens S7 systems, and that he described in July. In that post, Langner described an attack that used just four lines of code to freeze a Siemens PLC by causing it to skip the execution of its normal control logic. While freezing a PLC isn’t necessarily a precise attack, it can be carried out with a minimum or knowledge or overhead, because of the unique characteristics of industrial systems that PLCs control.
“The physical process that is controlled by a controller operates in real-time according to the laws of physics. Now if the controller’s electrical outputs are frozen, the mechanical, hydraulical, chemical characteristics of the process don’t freeze too – they simply run wild, out of control. So for example drives continue to rotate, pumps continue to pump through valves that continue to be open – a recipe for creating scrap product and material damage. If this occurs not only at one station (= controller), but at multiple stations simultaneously, it is easy to end up with damage that might take the victim days to recover from,” Langner wrote.
The attack is based on a method used by the Stuxnet authors, who figured out that by affixing attack code as a preamble to the legitimate control logic, meaning the code gets read at the beginning of each controller cycle. The Stuxnet authors figured that they could effectively disable the legitimate code by simply setting a trigger for the code which, when run, would cause the controller to jump back to the beginning of the operation block, skipping (and thereby disabling) any subsequent code, Langner said.
Langner’s wouldn’t be the first Metasploit module to target Siemens products. Three Metasploit modules are available for software made by the company, including two that exploit vulnerabilities on the company’s FactoryLink SCADA platform. In addition, Metasploit is known to be holding on to a number of exploit modules created for the S7 platform by Dillon Beresford of NSS Labs. Those modules are being held under embargo.
Langner did early work analyzing the Stuxnet worm and was among the first to speculate publicly that it was created specifically to target uranium enrichment facilities within Iran. He has subsequently warned governments and the private sector about the dangers posed by similar attacks on vulnerable industrial control systems or even Stuxnet variants.