Researchers from cybersecurity firm Trend Micro and the Polytechnic University of Milan have analyzed the possible entry points and vectors for attacks targeting smart manufacturing environments, and they discovered several new vulnerabilities in the process.
It’s not uncommon for traditional malware to make its way into industrial environments and in many cases they are detected by existing security solutions, but sophisticated attackers looking to target industrial organizations are more likely to launch attacks that specifically target operational technology (OT) systems to make their attack more efficient and less likely to be detected.
The Polytechnic University of Milan has a dedicated Industry 4.0 lab with manufacturing equipment that is typically deployed in real-world environments. Trend Micro teamed up with the university to see exactly how attackers could gain access to manufacturing environments and the actions they could conduct.
The study, which resulted in a 60-page report, looked at three main points of entry: engineering workstations, custom industrial internet-of-things (IIoT) devices, and manufacturing execution systems (MES).
One of the most important entry points are engineering workstations, which are often connected to devices on the plant floor. Engineering workstations are used to manage PLCs and HMIs, and gaining access to workstations can be highly useful to an attacker as it allows them to access sensitive information, move laterally, or tamper with manufacturing equipment.
Researchers at Trend Micro and the Polytechnic University of Milan have shown how these engineering workstations could be compromised using a malicious industrial add-in or extension. If an attacker can convince a user within the targeted organization to install a malicious add-in, they can push arbitrary automation logic code to manufacturing equipment.
While tricking an engineer into using a malicious add-in might not sound like an easy task, the researchers have identified some vulnerabilities that could make a hacker’s job easier. For example, a security hole in ABB’s RobotStudio app store, which hosts automation logic for industrial robots made by ABB, could have allowed an attacker to bypass the vetting process and upload a malicious add-in that would become immediately available in the store. ABB released a server-side patch for this vulnerability after being notified by Trend Micro.
Another example involves KUKA’s KUKA.Sim engineering and development software for robots and computer numerical control (CNC) devices. The issue is related to the eCatalog feature, which allows users to import 3D models made by others. The researchers discovered that the software did not include any integrity checks for data downloaded from the eCatalog and the communication between the client and the server was not encrypted, allowing a man-in-the-middle (MitM) attacker to make malicious changes to a model.
Custom IIoT devices, which allow engineers to run fully custom automation logic on manufacturing equipment, can also be a good entry point for attacks. While these custom devices have many benefits, they can rely on third-party libraries, which makes them more exposed to supply chain attacks.
If an attacker can somehow get the target to use a trojanized library or alter code directly on a development workstation, they could remotely gain full access to a plant, Trend Micro warned.
In the case of MES databases, which store work orders and templates, an attacker can simply change records in the database to cause problems. This can be done by an attacker who has gained access to the targeted organization’s network or to an unprotected MES database — this attack can also start with a compromised engineering workstation.
The researchers also looked at mobile HMIs, which can have vulnerabilities like the ones typically found in other mobile applications. There are over 170 HMI apps on Google Play and many of them have thousands and even hundreds of thousands of installs.
Vulnerabilities exist in many of these apps, but Trend Micro’s attack examples focused on Comau’s PickApp, which allows users to control their robots from a tablet or mobile phone. The application is affected by various types of flaws that can allow an attacker to take control of connected machines.