Metasploit Exploit Demonstrated Against a Model Train Set Controlled by an Allen-Bradley MicroLogix PLC at NERC GridSecCon 2012

Share Article

CYBATI's Co-Founder and President, Matthew E. Luallen, revealed the ease of writing a Metasploit module targeting the MicroLogix line of Allen-Bradley process controllers. Mr. Luallen stated several times during his presentation at NERC's GridSecCon 2012, "I did not want to write this Metasploit module or the laboratory exercise; however, given the current state of escalating risk, it is necessary for the industry to understand just how easy it is to compromise a system if trusted access is gained." The module took a mere two hours to write. Luallen used a model train set wired to a MicroLogix 1400 controller using Modbus/TCP and Ethernet/IP communications to an HMI for his demonstrations.

Cortana Script Faulting a Discovered MicroLogix Controller

Cortana Script Faulting a Discovered MicroLogix Controller

We must cross-train and enhance existing cybersecurity skills throughout the control system space to address the increasing cyber risks.

NERC hosted its second Grid Security Conference (GridSecCon 2012) on October 16-18 in San Diego. The conference brought together industry and government security professionals to discuss grid security concerns, trends, and best practices. The conference covered topics including emerging industrial control system security issues, social engineering and spear phishing, electromagnetic pulse threats and security crisis management. Over 250 people attended the NERC GridSecCon 2012 in San Diego, CA. The annual conference included keynotes and presentations from Gerry Cauley, NERC President and CEO; Admiral Thad Allen, USCG (Ret.); and, Mark Weatherford, Deputy Under Security for Cybersecurity, Department of Homeland Security.

Matthew E. Luallen, CYBATI Co-Founder and President, discussed social engineering tactics and used live demonstrations to emphasize how socially engineered trusted access can debilitate a control environment. Luallen has been researching and developing education academically and professionally for control system asset owners, CERTs and government agencies and this was the first conference with a full demonstration. Luallen serves many roles as the President of CYBATI, adjunct faculty at DePaul University, and as a certified instructor for the SANS Institute. Through Mr. Luallen’s work at DePaul University he was a co-author of a recent paper entitled, “Developing a Critical Infrastructure and Control System Cybersecurity Curriculum” accepted by the Infrastructure Security mini-track at the 2013 Hawaiian International Conference on System Sciences.

Using a model train set to physically represent the harm that could be introduced, Luallen presented his new Metasploit module crafted in less than two hours that could fault an Allen-Bradley MicroLogix Programmable Logic Controller (PLC). As the fault occurred the train stopped and the PLC need to be manually cleared and enabled. Luallen also provided in the presentation mitigating controls for the exploit. Luallen stated, "The exploit will only be successful if it can flip the bit telling the controller to fault. This can be controlled by limiting remote access to the controls network as well as investigating adding a new line to the controller's logic to restrict the bit manipulation." Luallen stressed that any changes to a control environment should be sufficiently tested and validated by the asset owner's and/or vendor(s) prior to implementation. Luallen also stated that he has been in contact with the ICS-CERT and Allen-Bradley / Rockwell Automation for several weeks to ensure asset owner's were properly notified prior to the public release of the exploit.

Critical infrastructure, control systems and their cyber assets that support them continue to be in the news – from Stuxnet over two years ago to recent attacks against the Energy sector. The common theme throughout the NERC conference was a lack of a skilled cybersecurity aware workforce to address this challenge. Specifically more physical security personnel, operations, management and IT need enhanced cybersecurity skills to understand the risk, enable mitigating controls, monitor for unapproved access and respond appropriately. Only a few specialists offer education to help address this cybersecurity challenge – Digital Bond, Lofty Perch, Red Tiger Security and CYBATI.

Additionally, Luallen discussed what socially engineered information would be of most interest to an attacker, how they may go about collecting it, attack vectors to gain trusted access, and then what they may do once inside the trusted perimeter. The efforts included both physical and cyber mechanisms from a hardware modified technician’s cable used to administer a PLC to the ease of using the Social Engineering Toolkit included in BackTrack 5 to craft a backdoored executable that will evade anti-virus. Luallen also demonstrated how easy it is to alter device states using an opensource Modbus/TCP command line added to the BackTrack distribution. Modbus is natively unauthenticated and if an attacker can gain access to the communications channel, have knowledge of specific tags or points, and understand or be able to alter the programmable logic the attacker can create conditions that may even lead to potential loss of life. This is exactly what Stuxnet is believed to have performed against the centrifuges located at the Natanz enrichment facility in Iran. Luallen stressed continuously how important it is to protect the logical design of the controlled environment, as targeted attacks will attempt to simultaneously physically disable the correct sensors, controllers and/or communications channels to create the adverse and unsafe conditions. Examples given during the presentations were associated with reviewing master stops, safety systems and for the electric sector, load shedding programs.

The full presentation from the conference is available for download at CYBATI's website.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Matthew Luallen
Email >
Follow us on
Visit website