Georgia Tech researchers warn of Stuxnet-style web-based PLC malware, redefining industrial cybersecurity threats

Researchers from the Georgia Institute of Technology presented a novel approach to developing programmable logic controller (PLC) malware that proves to be more flexible, resilient, and impactful than current strategies. The scheme allows the malware to stealthily attack the underlying real-world machinery using the legitimate web application program interfaces (APIs) exposed by the admin portal website. Such attacks include falsifying sensor readings, disabling safety alarms, and manipulating physical actuators. The research team’s investigation showed their proposed attack would work on PLCs produced by every major manufacturer.

Furthermore, the approach has significant advantages over existing PLC malware techniques (control logic and firmware) such as platform independence, ease of deployment, and higher levels of persistence.

“While previous attacks on PLCs infect either the control logic or firmware portions of PLC computation, our proposed malware exclusively infects the web application hosted by the emerging embedded webservers within the PLCs,” Ryan Pickren, Tohid Shekari, Saman Zonouz, and Raheem Beyah, Georgia Institute of Technology researchers wrote in a paper published last week.

“We think there is an entirely new class of PLC malware that’s just waiting to happen. We’re calling it web-based PLC malware. And it gives you full device and physical process control,” Pickren, a Ph.D. student in the School of Electrical and Computer Engineering (ECE) and the lead author of a new study describing the malware and its implications, said in a media statement. “This has been a neglected attack surface for many years. This paper is going to be the first one where we’re exploring what could an adversary to do with this,” he added.

The researchers also show that the emergence of web technology in industrial control environments has introduced new security concerns that are not present in the IT domain or consumer IoT devices. “Depending on the industrial process being controlled by the PLC, our attack can potentially cause catastrophic incidents or even loss of life. We verified these claims by performing a Stuxnet-style attack using a prototype implementation of this malware on a widely-used PLC model by exploiting zero-day vulnerabilities that we discovered during our research.” 

They added that their investigation reveals that every major PLC vendor (80 percent of global market share) produces a PLC that is vulnerable to proposed attack vectors.

The researchers developed an approach that’s easier to deploy than typical attacks on industrial or infrastructure systems, which usually require some sort of access privileges or on-site presence. It’s difficult to detect, with the ability to wreak havoc and then erase all traces of its presence. And it’s sticky: the malware can resurrect itself if operators discover the malfunctions and reset controllers or even replace hardware.

“We believe this is one of the first attacks at the application layer of PLCs to compromise industrial systems,” said Raheem Beyah, senior author on the study, a professor in ECE, and dean of the College of Engineering. “This is opening a door to new field that hasn’t really been studied yet.”

The cyberattack strategy is the result of a shift in recent years in software and devices used to control and monitor various industrial systems. Instead of a dedicated terminal or control pad running custom software specific to the device, manufacturers have turned to web-based management. Now, devices have embedded web servers. The human-machine interfaces (HMIs) are actually mini web browsers rendering a web page with readouts of the current status and digital visualizations of the controls. The approach means operators can work on the go, using a tablet computer for example, or even keep tabs on the system off-site.

“The old school idea of Homer Simpson in a control room has now turned into a website where you have little web visualizations,” Pickren said. “You can imagine a worker walking around the facility with an iPad or a control room with Google Chrome open.”

Malware designed to exploit these web vulnerabilities is particularly powerful because it doesn’t have to be customized to a specific PLC before it can be deployed, according to Zonouz, associate professor in ECE and the School of Cybersecurity and Privacy and study co-author. 

Pointing out that is a significant advantage over traditional attacks on industrial processes that targeted the PLC device itself or its underlying firmware, the researchers said that the Stuxnet worm that caused centrifuges to fail at an Iranian nuclear enrichment facility starting in 2008, for example, was specifically crafted to work on the PLC those facilities employed. It wouldn’t have been effective against other devices without extensive reconfiguration.

“We don’t have to reverse engineer, like Stuxnet or Triton — another very well-known malware — which required lots of effort to analyze a particular device,” Zonouz said. “This approach is very agnostic of the device and much easier to exploit. And hence, much harder to get rid of.”

Another advantage to the type of malware the team developed is how it functions. Though it’s deployed to the PLC, it actually runs only in the web browsers used to control the PLC’s functions. That upends typical approaches to dealing with malicious software that study the device itself to find anomalies.

The type of attack the researchers described is more than theoretical, too. They developed and tested one approach that deployed the malicious program by simply viewing a banner ad on a web page using an iPad. The malware infected a PLC in the lab connected to a small motor, and the researchers were able to cause the motor to spin at unsafe speeds. Meanwhile, the PLC reported the motor was still operating normally.

Pickren and Zonouz said their test showed how easy, and scary, it could be to infect real-world systems. Say a bad actor bought an ad on a popular help forum for PLC users. As soon as an operator visited the page and the ad loaded, their systems could be compromised.

The team also identified several vulnerabilities in a popular PLC device that they exploited during their testing. They reported those issues to the manufacturer, which verified and patched the problems. 

In their study, the researchers also made several recommendations to protect against web-based PLC malware, including steps browser developers can implement to prevent public access to private networks and webserver architecture changes. They also outlined steps PLC manufacturers can take to harden their devices against this new kind of attack.

“We need to go back and rethink the architectures, the protocols, the deployment that we have in place. How can we make them more secure without getting rid of the interconnectivity, which is a great thing to have,” Zonouz said.

“The internet is a huge attack surface, but everybody uses it and enjoys it. That doesn’t mean we should turn off internet. It means we have to make it more secure. The same thing is true here.”

In conclusion, the researchers said that contrary to popular belief, firmware and control logic are not the only levels of PLCs computation. “Modern PLCs now contain a programmable embedded webserver, where custom client-side JavaScript code uses increasingly powerful APIs to monitor and control physical processes. This environment offers a new, and surprisingly ideal, platform to run PLC malware, which poses an emerging threat to industrial control systems,” they added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.