Programmable Logic Controllers (PLCs) are the core control devices in Industrial Control Systems (ICSs), which control and monitor the underlying physical plants such as power grids. PLCs were initially designed to work in a trusted industrial network, which however can be brittle once deployed in an Internet-facing (or penetrated) network. Yet, there is a lack of systematic empirical analysis of the run-time security of modern real-world PLCs. To close this gap, we present the first large-scale measurement on 23 off-the-shelf PLCs across 13 leading vendors. We find many common security issues and unexplored implications that should be more carefully addressed in the design and implementation. To sum up, the unsupervised logic applications can cause system resource/privilege abuse, which gives adversaries new means to hijack the control flow of a runtime system remotely (without exploiting memory vulnerabilities); 2) the improper access control mechanisms bring many unauthorized access implications; 3) the proprietary or semi-proprietary protocols are fragile regarding confidentiality and integrity protection of run-time data. We empirically evaluated the corresponding attack vectors on multiple PLCs, which demonstrates that the security implications are severe and broad. Our findings were reported to the related parties responsibly, and 20 bugs have been confirmed with 7 assigned CVEs.
翻译:控制和监测电网等基本物理工厂的工业控制系统(ICS)的核心控制装置是可编程的逻辑控制器(PLC),该系统控制器最初设计成在信任的工业网络中工作,但一旦在互联网覆盖的网络中部署(或渗透),这个网络就会变得不易;然而,缺乏对现代现实世界PLC运行时间安全性的系统进行系统化的经验分析;为了缩小这一差距,我们提出了对13个主要供应商的23个现成PLC的首次大规模测量;我们发现许多共同的安全问题和未探索的影响,在设计和实施时应当更仔细地加以解决;总而言之,未经监督的逻辑应用可能会造成系统资源/滥用,从而给对手提供新的手段,以劫持运行时间系统的远程控制流程(而没有利用记忆弱点);2 不当的接入控制机制带来了许多未经授权的接入影响;3 关于运行时间数据的保密和完整性保护,专利或半专有协议是脆弱的。我们实事性地评估了所报告的相应攻击矢量在多个PLC上具有严重影响的C。