Recently, a cyber-attack on the smart mailbox services of the Israeli postal office was published in the media. The attackers physically unlocked and opened all mailboxes remotely, exposing mail packages and boxes. The attack was due to an exploitation of an inherent vulnerability in the Programmable Logic Controllers (PLCs) manufactured by the company Unitronics. This attack is one of many, over the last few years, that has targeted PLCs.
What’s a PLC?
A Programmable Logic Controller enables users to program specific and personalized logic to their products in order to integrate them into their systems. The use of PLCs is very common in industrial control systems; to control water systems, to manage the production process in factories, and is part of the infrastructure of building management. Unitronics enables users to download software from their site to easily set up and manage their PLC.
Recent Unitronics Incident
As part of the management and development infrastructure that Unitronics provides to its clients, every PLC grants users access to a management interface, allowing full control over the controller. This interface is accessible via a TCP port and in order to access this interface, there is no requirement for pre-existing knowledge, nor is there enforcement of identification. Consequently, it is fairly simple to take full control over any Unitronics Programmable Logic Controller which is connected to the internet. Once in control, users are able to completely shutdown, or change the cause of action of the components connected to the PLC. This device vulnerability could result in disastrous outcomes such as explosions in pipelines, the shutdown of water pumps, or cutting off the access to water supply. Taking full control also enables users to change the content displayed on the screen of the controller. It is important to note, however, that these vulnerabilities are not unique to the PLCs of Unitronics. Similar vulnerabilities exist in PLCs of different manufacturers as well.
Industry Current Security Status
Based on our research, this is a widely spread vulnerability, common to several companies and manufacturers. Our tests have shown that there are PLCs that can be remotely controlled in countries all over the world. These PLCs serve many different clients, including factories, hospitals and universities.
Why is the Security Risk of the Programmable Logic Controllers so High?
Ironically, the PLCs that are generally integrated into the most critical systems, such as water supply and electricity, have a very low level of cybersecurity. There are various reasons for this peculiarity:
- Lack of resources for developing and integrating protective mechanisms.
- Lack of awareness of the security deficiencies that may occur in these controllers.
- PLCs are often based on outdated technologies, making it hard to integrate new protective mechanisms.
- PLCs often have very limited resources, such as computational power and RAM. This makes it challenging, but definitely not impossible, to integrate state-of-the-art protective mechanisms in the PLCs.
- An unclear distribution of responsibilities. Usually, the companies manufacturing the PLCs are not the same companies as those developing the programs running on the PLCs, nor are they the same companies managing the integration of the two.
How do the companies that are managing integration impact the story?
Inherent Security Risks When Working With Integrators
The PLCs supply chain is often quite complicated. Clearly, at the head of the chain, we have the manufacturer. However, somewhere along the way to the client, the product must go through the developers, and there will be an entity responsible for integrating the product into the clients’ systems. The company managing integration has a tremendous influence on the security level of the product, and consequently, on the level of security on the client’s systems. .
How can the company managing integration influence the security level of the product?
- Broken chain of responsibility:
Unlike the PC ecosystem, where the user is responsible for all of the software and use of the device, in the PLCs and OT ecosystem there is less clarity in the chain of command. The manufacturer produces the device, the integrator installs the device and the customer is eventually using the PLC in its network perimeter, which makes it unclear who can and should be in charge of securing the device.
- “Just make it work” approach:
Typically, an integrator is measured by the operational status of the device, making sure it’s functioning properly, without regard to the security status or posture.
Since cybersecurity is not a measurement parameter, the integrator tends to avoid handling or configuring it.
- Lack of cybersecurity expertise:
Often, the integration companies will not have a full understanding of the product security settings, and will not be aware of the protective mechanisms. Security is not a default setting and must be configured and integrated manually.
Due to a lack of familiarity with the product, the integrator will have very little knowledge of the interfaces exposed to the internet, and the dangers within. It goes without saying that the integrator will not know how to block these exposed interfaces using complementary measures, such as firewalls.
- The integrator may rely on the manufacturer default settings to produce secure products, and as a result, not see any reason to actively try to ensure that the product is secure.
- Since the PLC device is programmable, the integrator who programs it may inadvertently insert code with vulnerabilities, even if the device was safe when supplied by the manufacturer.
The final result is that in many cases, if not all, the client is left exposed to severe cyber vulnerabilities, which can compromise critical processes and systems. It is important to keep in mind that when a hacker comes to attack a system, he does not care who is to blame for these vulnerabilities.
First, rest assured that if your PLC device is protected by Firedome you are secure. None of Firedome’s components are impacted by these types of vulnerabilities; if there is an attempt to hack the device, the Firedome security agent will detect and block the malicious connections and stop the attack chain.
If your PLC is not protected by Firedome, there are several things you can do to help protect your PLC:
- As a client, ask your integrator to use a cyber-protected PLC device
- Make sure that your PLC device is not connected directly to the internet but via a network firewall that blocks any external traffic to the PLC device
- Use IDS to detect attacks attempts against the PLC device
- Due to the changeability of a PLC device, it is highly recommended to add a security agent to your device regardless of your supply chain efforts
It is important to remember that even if all the steps mentioned above have been taken, still the best and only total solution is to switch to a protected PLC controller.
Schedule a call today with a cyber expert at Firedome to assess your risk and protect your assets!
Firedome Inc. (https://firedome.io/) is a growth-enabler for disruptive IoT brands. Offering a robust IoT security and privacy platform with advanced marketing and cyber services, Firedome enables IoT brands to protect their devices and their users while growing their market share. Firedome was founded by top security and business veterans.