Logic bombs can pose a significant threat to industrial control systems (ICS), particularly programmable logic controllers (PLCs), researchers warned in a paper published last week.
A logic bomb is a piece of code designed to set off a malicious function when specified conditions are met, such as a time and date, or when data provided by a sensor has a certain value.
It is not unheard of for malware to use logic bombs (e.g. Stuxnet and Shamoon), but experts at IIIT Hyderabad in India and the Singapore University of Technology and Design believe there is not enough research on the threat posed to ICS.
In an effort to prevent certain attacks, PLC manufacturers have implemented mechanisms designed to block unauthorized firmware from being uploaded to a device. On the other hand, researchers discovered that there is no authentication or security checks in place to ensure that unauthorized logic updates cannot be delivered to a PLC.
An attacker who has physical access to the targeted PLC – in some configurations attacks can also be conducted over the network – can upload malicious logic to the device and hijack it. The attacker can download and upload logic configurations using specialized software, such as Studio 5000 or ControlLogix from Rockwell Automation.
Researchers believe ladder logic bombs can be very dangerous considering that the attacker needs to access the targeted PLC only once. The “bomb” can then be triggered externally, using a specified input, or it can be triggered internally by a system state, certain instructions or at a preset date and time.
According to experts, ladder logic bombs can be used for a wide range of purposes, including denial-of-service (DoS) attacks, changing the PLC’s behavior, and obtaining data. These attacks have been tested in real-world ICS environments.
In the case of DoS attacks, hackers can add a piece of malicious logic to cause the PLC to stop working, potentially damaging the process it controls. Once triggered, the “bomb” can enter an infinite loop and make the device useless.
Ladder logic bombs can also be leveraged to manipulate data, such as sensor readings, which can be used to cover up other unauthorized activities or cause the device to enter an error state.
Attackers can also secretly log sensitive PLC data by using FIFO buffers and recording data into arrays on the device. These threats can go undetected for an extended period of time by not interfering with the device’s normal operation.
In order to prevent these types of attacks, researchers have proposed both network-based countermeasures and centralized validation of running code, which includes the use of authentication or cryptographic signatures for logic updates.
Logic bombs were also used recently in the simulation of a ransomware attack on industrial systems. Researchers showed how specially designed malware can hijack and potentially cause serious damage to a water treatment plant.