This research report is the first systematic study into how attackers can move laterally between different network segments and types of networks at the controller level – Purdue level 1 (L1) – of OT networks. We show how attackers can cross security perimeters in interfaced Basic Process Control Systems (BPCS) / Safety Instrumented Systems (SIS) architectures or perform detailed manipulation of equipment in fieldbus networks nested behind PLCs to bypass functional and safety constraints that would otherwise prohibit cyber-physical attacks with the most serious consequences.
As part of the proof-of-concept developed for this research, we use two new vulnerabilities that we are publicly disclosing for the first time: CVE-2022-45788 and CVE-2022-45789 allowing for remote code execution and authentication bypass, respectively, on Schneider Electric Modicon PLCs. These issues were found as part of the OT:ICEFALL research in 2022 but were not disclosed at the time at the request of the vendor.
In the past few years, security researchers have demonstrated various approaches to obtaining low-level remote code execution (RCE) on L1 devices from various vendors. Malware such as TRITON and INCONTROLLER have shown that real-world threat actors are both capable of and interested in developing such capabilities aswell. When it comes to subsequent post-exploitation of L1 devices however, prior work has primarily focused on stealth, persistence, and demonstrating impact, while lateral movement has received little attention. The focus for lateral movement in the past has been on moving between L1 devices in the same network segment or moving upstream to SCADA systems at level 2 and above but has not considered moving deeper into nested devices networks or across perimeters at level 1.
As a result, asset owners frequently overlook security perimeters at level 1 and consider the kind of granular control required to bypass functional and safety limitations enforced by controllers and field devices as infeasible. This is despite the fact that L1 devices that sit at the intersection of multiple, mixed networks should be treated as security perimeters and ought to have the corresponding hardening and risk profiles that would be accorded to workstations in a similar position.
In this report, we present:
- Two new vulnerabilities affecting Schneider Electric Modicon PLCs and allowing for remote code
execution and authentication bypass (Section ). - An overview of lateral movement on level 1, including different real-world BPCS/SIS architectures and third-party package unit setups, relevant lateral movement options and related attacker use-cases (Sections 3 and 4).
- A realistic attack scenario on critical infrastructure where lateral movement on level 1 allows an attacker to cause physical damage to a movable bridge (Section 5).
- An in-depth discussion and demonstration of an L1 RCE and lateral movement proof-of-concept using previously undisclosed authentication bypass and RCE vulnerabilities against fully patched Schneider Electric M340 & M580 PLCs (Section 6).
- Our conclusions and thoughts on hardening L1 devices and networks against the discussed threats
(Section 7).
Views: 0
