After hearing about PLCpwn, S4 vet Jake Brodsky over on SCADA Perspective wrote “Only problem: If you have physical access to the network of a PLC or to the PLC itself, you own it. End of story. That’s very unlikely to change.”

While the ICS community still is stuck in the mud dealing with insecure by design protocols, applications and devices, the offensive effort on ICS cyber weapons is ramping up. And we need to start thinking about how these ICS cyber weapons will be created, deployed, used, defended against and detected. This was what ICSage on Friday of S4x14 Week was all about.

A large portion of the threat actors to critical infrastructure ICS will simply attack the system as soon as they can get access and launch an attack. For those threat actors, I agree with Jake that the concept behind PLCpwn is a non-factor.

Now imagine you work for a government that is all excited by Stuxnet. The order comes down that you need to develop the capability to take out selected parts of numerous potential adversaries critical infrastructure via a cyber attack. But they only want the capability to do it whenever they give the order. They have no immediate plan to use it, and they may never use it. Many weapons that are developed and staged are never used, so why wouldn’t this be true of ICS cyber weapons?

In this case preparation and persistence are key.

Preparation is necessary to develop the attack code not only to compromise the SCADA or DCS, but also to change the process in the desired manner. Maybe only a short term outage is required to be timed with a kinetic attack. Perhaps they want hard to replace equipment in the process to be damaged to take the system out for months. The team responsible for the ICS cyber weapon needs to develop and deploy the weapon to be ready when the order comes.

You also will want your own communication channel to the ICS cyber weapon. If you rely on the adversary’s network to send the GO signal to launch the attack it may not be available. Pulling all external connections is in many organizations’ plans to an increased threat environment. Your tasking on what needs to be done to the process might change causing you to modify the attack code. The ICS engineers may change the process in a way that requires the attack to change.

There are many reasons why an attacker wants his own communication channel to the ICS network. This second communication channel is the purpose of PLCpwn proof of concept. Sure it can attack the PLC it is inserted in, but it is also a rogue computer under the adversary’s control on your network.

Stephen’s demonstration that it took less than 80 hours and a few thousand dollars gets some attention, but this is a non-issue. A true offensive effort is going to develop a slick board that will be much more difficult to distinguish from the real thing. This is a small amount of money and effort for a well funded and motivated group. It was fortuitous that the NY Times published an article the week of S4x14 on an NSA program on developing their own communication channel to targeted computers.

Now the interesting question is what happens when organizations and governments stumble across one of these deployed attack systems and covert channels?