«

»

Nov
15

2010

417 attack code: Doing the man-in-the-middle ON the PLC

We have mentioned that the 315 and 417 attack code is considerably different. While the 315 code does its thing by directly writing to Profibus devices, the 417 code uses a completely different attack vector. It does a man-in-the-middle between physical I/O and program execution.

In order to understand how this can be done, let’s cover some basics. A PLC connects electrically to inputs and outputs, which are hardwired to sensors and actuators. However, the program running on the PLC usually does not operate on the electrical signals directly, but on PROCESS IMAGES of the I/Os. The idea behind this architecture is that the inputs and outputs you work upon in your program are consistent. Anyhow, there is the physical inputs, the process image of the physical inputs, the physical outputs, and the process image of the physical outputs.

A PLC program operates in a cycle that passes through the following steps:

1. Start cycle time monitoring
2. Write process image of outputs to physical outputs
3. Read physical inputs and write to process image of inputs
4. Execute programmed logic
5. Goto 1.

Normally, steps 1, 2, 3, and 5 are performed automatically by the PLC’s execution environment; it is nothing that the programmer would have to worry about. However on the S7-400 you can disable the automatic updates and do that on your own in program code. This is what the Stuxnet 417 attack code does. It disables the automatic updates and performs the physical/logical mapping on its own in the code injected in OB1. In some of its different states of operation, the mapping is done unmodified; just like the execution environment would do it automatically. In other modes, the legitimate program running on the PLC is provided with fake inputs. Engineers will certainly ask how this is possible. Actually, it is easy: The process image of inputs is not read-only. It can be overwritten. And that’s how it’s done by Stuxnet: The legitimate code isn’t looking at the real inputs any more, but at data that Stuxnet loads from its big data blocks. It’s just like you have seen it in movies where the bad guys feed observation cameras with unsuspicious pre-recorded video. In the meantime, Stuxnet does its thing by writing to the outputs. Pretty clever.