PLC Security

After reminding everyone of the Sept 18th deadline for the S4 Call For Papers earlier today, I thought it would be a good time to provide some details on the Digital Bond paper that will be presented at S4. We are calling Project Basecamp. The Basecamp presentation will cover the summary results across all of the tested PLC’s, and then the successful and unsuccessful attack methodologies, the most common vulnerabilities, and the most serious vulnerabilities.

The purpose of Project Basecamp is to assess the security of a set of popular industrial control system (ICS) field devices with an Ethernet interface for a common set of vulnerabilities. A field device is typically a PLC, RTU, IED or communication gateway.


The recent Stuxnet and Beresford vulnerabilities have shown that Siemens S7 PLC has serious security vulnerabilities. The communication protocol for both operation and programming can be compromised. The PLC failed when sent malformed packets. A debugging backdoor and Easter egg were found indicating a poor security development lifecycle.

Some in the ICS security community have said this is unfair to Siemens and that all field devices have similar security problems. Project Basecamp will test that hypothesis and raise awareness of the significance and impact of the problem if the hypothesis is true.

Digital Bond will provide a team of skilled in ICS and IT security professionals with a PLC to assess, coordinate the results, and present them in a paper at S4. We will perform testing on at least two of the devices internally.

PLC’s To Be Tested

The identity of the PLC’s and other field devices will not be revealed to the public until the paper is presented at S4 in January 2012. At least six devices will be included in Project Basecamp. These six devices are popular, widely deployed devices. We will include the Siemens S7 series in the paper as a comparison, although no new work will be done on this device.

Test Categories

Basecamp has identified eight PLC vulnerability categories for each researcher to pursue, and each researcher is committing to spending at least 40 hours attacking the device. Of course, the researcher is free to pursue other avenues, and if another attack category is identified it will be added. For example, if an attacker finds a new attack methodology we may ask the other researchers to attempt it on their assigned PLC.

The time tracking is key because we want to include that as well as the cost and skill set of the researcher in the paper to help define the resources required to develop an attack.

S4 Paper and Presentation

The S4 presentation will actually be a two-part presentation. Part I will cover the project methodology and summary results. Part II will cover the most successful and most innovative attacks with demonstrations and details. We will avoid the flashing lights for the S4 audience, but focus more on how the device is altered internally.

It is an exciting project, and we already have Digital Bond and two outside researchers on it. We will announce the entire Basecamp team on October 3rd.