Researchers Create An Undetectable Rootkit That Targets Industrial Equipment

An anonymous reader quotes Bleeping Computer: "Two researchers presenting at the Black Hat Europe security conference in London revealed a method of infecting industrial equipment with an undetectable rootkit component that can wreak havoc and disrupt the normal operations of critical infrastructure all over the world. The attack targets PLCs (Programmable Logic Controllers), devices that sit between normal computers that run industrial monitoring software and the actual industrial equipment, such as motors, valves, sensors, breakers, alarms, and others."

Researchers say they packed their attack as a loadable kernel module [PDF], which makes it both undetectable and reboot persistent. The attack goes after PLC pin configurations, meaning the PLC won't be able to tell which are the actual input and output pins, allowing the attacker full-control to make up bogus sensor data, send fake commands, or block legitimate ones.
The researchers acknowledge that the attack is extremely complicated, but the article argues it would still be of interest to a state-sponsored actor.

Undetectable rootkit targets PLCs

[khz6955]

'Majid Hashemi : Avanade, a Microsoft / Accenture joint venture'

From billg:
To: mhashemi:
Cc: a.abbasi:
Msg: "Please write a report on Linux PLC malware so as to distract from the curent Microsoft Windows phishing/malware/virus infestation on the Internet."

Is there any other kind of rootkit except the undetectable kind. It's interesting that in that entire document they managed to mention Raspberry Pi 13 times, Linux 5 times and Microsoft Windows not at all.

Pick any two

[jenningsthecat]

This reminds of the old engineering saying "good, fast, cheap - pick any two". Only in this case it's "complex, configurable, secure - pick any two". If you want security then you either forego complexity, (so the device can't do a lot, plus all the combinations and permutations of its behaviour can be understood and determined in advance, plus its attack surface is correspondingly smaller), or you forego configurability, (meaning functionality is set in wires or DIP switches or ROM, not by software that can be altered).

Such complex and versatile systems, (such as the Internet), simply can't be protected adequately, unless they're disconnected from the outside world and therefore lose most of their advantages. What comprises solid protection today, probably won't tomorrow. We need to find ways of mitigating damage and recovering quickly; we can't rely on thwarting malicious hacking, because that's simply not possible in the long term. This applies equally to crappy consumer grade IoT gear and hardened SCADA systems. Yes, a good SCADA system is, (or should be), harder to compromise; but usually the payoff is commensurately bigger.

This shouldn't be surprising

[DrXym]

PLCs are designed to run on closed networks and normally have no protection around their firmware. They're expected to be commissioned and forgotten about. Some PLCs will even boot their firmware straight from an SD card slot which can be modified to make the PLC do anything. They are not secure in any way, shape or form.

Adding security could be done of course, and perhaps there are things to be done that should be. But for the majority of deployments total security adds complexity to protect against a threat which is extremely unlikely to ever happen. If you want to protect your PLCs from being tampered with, there is a far simpler solution - buy a big secure cabinet and a big padlock. If you're super paranoid, fill any firmware update slots with epoxy.