Incident Response, Network Security, TDR

Researchers discover ICS attack method that spreads through networks

A team of researchers published a report detailing their discovery of a new method of launching attacks that would threaten global critical infrastructure and utility providers through a worm that could spread directly through utility networks.

The attack, discovered by Ralf Spenneberg, Maik Brüggeman, and Hendrik Schwartke at OpenSource Security, a German security consulting firm, relies on a programmable logic controller (PLC) worm that the researchers saiddoes not rely on infected devices such as a laptop or desktop to spread the worm. The research team presented their discovery at BlackHat Asia.

“Our PLC worm will scan and compromise Siemens Simatic S7-1200 PLCs Version 1 through 3 without any external support. No PCs or additional hardware is required,” the researchers wrote. “The worm is fully self-contained and ‘lives' only on the PLC.”

Previous PLC attacks, such as the Stuxnet worm, required the exploit of PLC vulnerabilities on infected computers to spread. The method discovered by the researchers would make it more difficult to detect or contain industrial control systems (ICS) threats.

“Since this worm mimics the TIA-Portal and implements the proprietary Siemens protocol such solutions will miss it," said Barak Perelman, CEO of Indegy, an ICS cybersecurity firm, in an email to “Monitoring the propriety OT Vendors protocols like S7CommPlus is critical but difficult to do since these protocols are not well documented.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.