Cybersecurity , Remote Access

Embedded PLC Web Servers a Vector to New Class of OT Malware

Web PLC Malware Holds Potential for Catastrophic Incidents
Embedded PLC Web Servers a Vector to New Class of OT Malware
This is very convenient - and potentially very dangerous. (Image: Shutterstock)

Fusty and fussy operational technology devices are probably the farthest things away from a web server. Except - not anymore.

See Also: Protocol Isolation: The Key to Securing OT Environments

Programmable logic controllers - digital devices that control the operation of physical processes in settings such as factories and the electrical grid - once relied on serial communication protocols, but they now contain embedded web servers. The upside is convenience, since administrators can configure application programming interfaces to control operations and enable browser-based control.

Out are clunky human-machine interface clients configured with knotty proprietary software; in are flat screens and touch-enabled control.

The problem is that web servers embedded into industrial firmware are also a potential bonanza for hackers, said researchers from the Georgia Institute of Technology. In a paper that outlines how attackers could leave Stuxnet in the dirt by exploiting web-based PLC malware, they said hackers could falsify sensor readings, disable safety alarms and manipulate physical actuators. Hackers could cause catastrophic incidents including loss of life.

Every major PLC vendor - together they control 80% of global market share - now produces a PLC vulnerable to web-based malware, the researchers say. The convenience of operational technology firmware embedded with a web server "has transformed the ICS ecosystem in profound and irreversible ways."

Malware for operational technology is nothing new. Stuxnet, easily the most famous malware ever launched against an industrial system, is more than a decade old. But previous generations of ICS malware had to abide by the strict hardware requirements of the real-time operating systems they sought to corrupt.

Throw a web server into the mix, and that changes. Web PLC malware ultimately is executed in the browser-equipped device used to interact with the firmware, not on the PLC itself.

Nation-states are likely taking notes. OT security-focused firm Dragos has identified 21 unique, active cyberthreat groups that are OT-specific, meaning they either develop malicious code specifically for OT environments or they focus on targeting organizations with OT environments (see: Defending Operational Technology Environments: Basics Matter).

State-sponsored Chinese and Russian hacking groups have invested in hacking critical infrastructure, including a Beijing group tracked as Volt Typhoon that U.S. officials in February said was likely pre-positioning itself to launch destructive attacks. Europe's security agency in 2022 warned that state-backed hacking groups will pay more attention to operational technology as geopolitics influences the cyberthreat landscape.

"There is an entirely new class of PLC malware that's just waiting to happen," said Ryan Pickren, a Georgia Tech doctoral student and lead author of the study. "It gives you full device and physical process control."

A PLC web server can be infected in a number of ways. Many PLC manufacturers allow users to create what they call "user-defined web pages" to generate specialized HMI dashboards. Some companies even sell UWPs - creating an opening for attackers to trick authorized users into installing a Trojan web page. Alternatively, hackers might intercept prebuild elements of a custom HMI dashboard.

The researchers also flagged cross-channel scripting - "an obscure variant of cross-site scripting" - as an attack method. In this type of attack, they said, "the malicious payload is transferred to the web server via a non-web protocol such as SNMP or FTP."

Achieving persistence is "shocking effective" when attackers cache secondary malicious code by taking advantage of an HTML5 feature known as "service worker" that allows JavaScript assets to act as proxies between web browsers and web servers. Service workers run in the background, "detached from any single web page." That means that even if a primary malware payload is completely removed from the PLC device, the cached JavaScript file can re-infect the device.

What attackers could do once they've infected a device is a lot worse than what they could do with traditional PLC malware, the researchers said. Restraints on the previous generation of PLC malware, such as operating within a control logic code sandbox with restricted functionality or on a segregated industrial network with no internet connection, don't apply.

Web PLC malware could use browser cookies to interact with APIs and cause physical damage to machinery. Attackers wouldn't need very much knowledge about the underlying physical processes to wreak havoc, since access to the web-enabled HMI would allow threat actors to simply start turning knobs - virtually.

"This type of casual control is not possible using traditional PLC malware, which requires intimate knowledge of I/O pin configuration and downstream actuator settings. Thus, physical sabotage via WB malware requires significantly less reverse engineering effort and prerequisite intelligence compared to existing strategies," the researchers said.

Attackers could also abuse admin settings for further compromise and exfiltrate data for industrial espionage.

"The old-school idea of Homer Simpson in a control room has now turned into a website where you have little web visualizations," Pickren said. "You can imagine a worker walking around the facility with an iPad or a control room with Google Chrome open."


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ot.today, you agree to our use of cookies.