Reid presented the latest from Project Basecamp yesterday, what he called Camp 4, at AppSec DC. He has done great work in a short amount of time, between the paying projects and I suspect often on nights and weekends. I didn’t want to step on his blog article yesterday, but I’ve got a lot to say on the release — particularly on the modicon_stux_transfer Metasploit module.
The modicon_stux_transfer module allows you to show a Stuxnet-type attack on a Modicon Quantum PLC in two steps:
1. Anyone with logical access can download the existing ladder logic / program on the PLC.
The Stuxnet creators had full knowledge of the process at Natanz. They may have had an inside source who gave it to them, but an attacker can also download the existing program from the PLC. It then depends on how much time and process engineering and domain talent they have to modify the ladder logic. Obviously the Stuxnet team had a lot of talent and time (see Ralph Langner’s S4 video), but an attacker could choose a much more blunt instrument approach.
A sophisticated attacker would probably take the downloaded ladder logic from a Quantum PLC, load it in their own copy of Unity and modify it. An attacker who just wanted to make things stop working would just create nonsense or blank ladder logic to make things stop working.
2. Anyone with logical access can upload their own rogue ladder logic / program to the PLC to replace the legitimate program.
This is where the module is identical to the Stuxnet end game in that it loads rogue ladder logic to the PLC – the Siemens S7 PLC in Stuxnet, the Modicon Quantum for the new Metasploit module.
It is a bit baffling and a failure by all in the ICS community that 571 days have passed since Ralph Langner exposed the PLC attack nature of Stuxnet and there is still almost total inaction on the ladder logic upload/download authentication issue — and by extension the critical command authentication issue. Owner/operators should realize that they have no integrity in their process; no assurance that they actually have control of their SCADA or DCS.
We decided the modicon_stux_transfer module was necessary to show that it is not difficult to upload rogue ladder logic on most PLC’s. It took Reid less than 8 hours from packet capture to uploading his own ladder logic on the Modicon Quantum. Writing the Metasploit module, testing, documentation, etc. took more time of course, but it was not a huge investment beyond the $11K to get the product.
Every owner/operator should be asking their vendors how ladder logic upload/download is secured, as well as firmware upload/download and commands that could be used maliciously to affect the availability or integrity of the process. Vendors, you should be able to tell your customers what you are doing to address this, when it will be ready, and what the upgrade process is. A vendor that took security seriously would have the solution ready today, 571 days after a vivid example of the impact of this design vulnerability that has been known for 10+ years.
Part 2 on Monday – Why We Added WAGO to Project Basecamp
Part 3 – The Future of Project Basecamp
Image by Greg Peterson