Digital Bond, a control system security consulting company, released information about a critical vulnerability in numerous programmable logic controllers (PLCs) and other hardware used to automate everything from motors to complex industrial processes. The affected software is known as the CoDeSys ladder logic system, from 3S Software Gmbh. CoDeSys is used by 261 manufacturers of control equipment to execute programming and operate connected devices. Essentially, Digital Bond discovered that the software allows a remote connection without user authentication. They created Python scripts that take advantage of this lack of security and provide a method for execution of commands and gaining access to data on the devices.
This vulnerability could have major implications for public utilities, manufacturing plants, and anywhere else this type of valve, motor, and system control is used. Of particular concern are controllers that are exposed on the Internet, but even systems behind a firewall are likely to be targeted, given the nature of the weakness and the simplicity of the exploit.
More information about Digital Bond’s findings and the Python scripts can be found here.
The U.S. ICS-CERT issued an alert as a result of the above, and Matt Krebs wrote an informative blog post that expands on the issue. In it, he notes that the availability of online search tools that scrape the Internet looking for all types of connected devices (including PLCs) make this problem even more serious. It appears, at present, that even the most novice hacker could launch an attack on exposed controllers, possibly causing severe damage or disruption of service.
At least for now, it would be prudent to isolate these devices – especially in cases where they control critical processes/equipment. Of course, it would be nice to think such measures were already in place for such important applications – but we know better.