There are emerging threats against industrial control systems (ICS) and the protocols on which field devices rely to communicate with control systems across a network.
Protocols such as International Standards Organization Transport Service Access Point (ISO-TSAP RFC 1006) and others were designed, in the past, without any security in mind. These protocols were intended to be open and reliable, not secure.
In fact, most Programmable Logic Controllers (PLCs) were also built on the assumption that security was unnecessary as long as the device was deployed inside an “air gap” network. However, recent events, such as the widespread dissemination of Stuxnet, have demonstrated that this is not a safe assumption on which to base critical design implementation decisions.
We must consider where these devices are deployed; PLCs are used in power plants (including nuclear), pipelines, oil and gas refineries, hydroelectric dams, water and waste, and weapon systems.
We cannot simply rest idle and wait for something to fail or, worse, explode. We must act now, and we must be diligent in mitigating these issues. ICS vendors together with the help of ICS-CERT should work with independent security researchers to promote responsible disclosure.
In this paper we will discuss various intrusion methods including rereconnaissance, fingerprinting, replay attacks, authentication bypass methods, and remote exploitation, and how these techniques can be used to attack a Siemens Simatic S7 PLC.
We will also demonstrate how an attacker could perform reconnaissance against the PLC and exploit attack scenarios using the Metasploit Framework, as well as how to write your own exploit module to target a PLC.
We need secure protocols in ICS. The product vendors have the ability to make this a reality. The time has come for experts around the ICS community to come together and make the necessary changes to insure a safer environment for all those affected.
That means everyone in the world who lives near or works in a factory or a power plant! When vendors misrepresent vulnerability information, their customers cannot properly assess the risk to their operations.
To read this external content in full download the paper from the Black Hat Conference public archives. https://media.blackhat.com/bh-us-11/Beresford/BH_US11_Beresford_S7_PLCs_WP.pdf