Slashdot Mirror
Researchers Create An Undetectable Rootkit That Targets Industrial Equipment (bleepingcomputer.com)
An anonymous reader quotes Bleeping Computer: "Two researchers presenting at the Black Hat Europe security conference in London revealed a method of infecting industrial equipment with an undetectable rootkit component that can wreak havoc and disrupt the normal operations of critical infrastructure all over the world. The attack targets PLCs (Programmable Logic Controllers), devices that sit between normal computers that run industrial monitoring software and the actual industrial equipment, such as motors, valves, sensors, breakers, alarms, and others."
Researchers say they packed their attack as a loadable kernel module [PDF], which makes it both undetectable and reboot persistent. The attack goes after PLC pin configurations, meaning the PLC won't be able to tell which are the actual input and output pins, allowing the attacker full-control to make up bogus sensor data, send fake commands, or block legitimate ones.
The researchers acknowledge that the attack is extremely complicated, but the article argues it would still be of interest to a state-sponsored actor.
Researchers say they packed their attack as a loadable kernel module [PDF], which makes it both undetectable and reboot persistent. The attack goes after PLC pin configurations, meaning the PLC won't be able to tell which are the actual input and output pins, allowing the attacker full-control to make up bogus sensor data, send fake commands, or block legitimate ones.
The researchers acknowledge that the attack is extremely complicated, but the article argues it would still be of interest to a state-sponsored actor.
Some of us are old enough to remember PLC that worked fine by themselves, not needing to be hooked to any other "computer". Maybe we need to start thinking about making things simpler again, where it makes sense, for reasons of security, robustness and even longer life of the equipment.
But LKM are a known security risk, and can be turned off in Linux.
True... but the purchaser of (say) a CNC grinder or a motion control system or a 50 port temperature sensor or whatever other exotic industrial equipment you can dream up is NOT a Linux user. A good CNC operator will do things that makes your head spin but not have the faintest idea about network security. All they care about is plugging in the power and the network cable and uploading designs from Autocad.
At some point, anyone bent on malicious programming _wants_ to be detected -- when the payload does whatever malice intended. Before then, it wants to hide. Loadable kernel modules are a good way to hide, but not perfect. It might be detected by network activity (gotta love those lights) or power consumption (machine not sleeping). Both AFAIK still major detection mechanisms for all intrustions.
Industrial equipment is expected to run differently to a computer. The guys on the shop floor don't give a rats about clean shutdowns etc; they turn the power off. Your average shopfloor person sees the flashing lights on a PLC and doesn't understand what they see (unless it's an error condition they have been trained for).
You raise valid points... but consider where industrial equipment runs, and who runs it.