Pretty much everyone should have realized by now that our modern societies critically depend on industrial control systems (ICS) and that these systems are beginning to move into the focus of hacking attacks. A recent example that received comparatively little attention is a 2014 attack on a German steel production facility. The attack led to an uncontrolled shutdown of a blast furnace and caused damages in the millions. Reportedly, the attackers compromised the business IT first and worked their way to the actual control systems from there. Much simpler attack vectors frequently exist for those knowledgeable enough to use them. SHODAN is a case in point that a plethora of industrial control systems can be attacked directly.
In our talk, we will showcase novel tools and techniques to leverage one Internet-facing PLC, in order to explore and gain control over entire production networks. We use Siemens PLCs as our example. Our tools differ from what has been made public before in that we implement and run them directly on PLCs in their native STL language. Specifically, we explain and demonstrate in detail the following attack process. We automatically locate PLCs and automatically instrument the STL code of a running PLC, so that it provides additional functions in parallel to its original ones. One function we implemented is that of a UDP/SNMP scanner. Another one is that of a SOCKS5 proxy. Using these functions, adversaries can easily map, instrument and control any remaining PLCs on the network using existing tools. We demonstrate attacks on Siemens PLCs through our proxy connection using an existing Metasploit S7-300 Stop module and an exploit for CVE-2015-2177 that we disclosed to Siemens. As part of our demonstration, we explain why implementing a TCP scanner is impractical on Siemens PLCs.