UAH Ph.D. student discovers – and reports – vulnerability in commercially available PLC

Thanks to a buffer overflow vulnerability discovered by UAH cybersecurity student Thiago Alves and reported to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), Rockwell Automation was able to release a patch to better protect its Allen-Bradley MicroLogix 1400 programmable logic controller (PLC) from cyberattack.

Alves, a graduate research assistant for UAH’s Center for Cybersecurity Research and Education (CCRE), discovered the flaw while working on a paper comparing the behavior and functionality of OpenPLC with other PLCs; OpenPLC, the only PLC in the world to give users access to its source code, was created by Alves when he was an electrical engineering undergraduate at the Pontifical Catholic University of Minas Gerais in Brazil.

"To make the comparison with OpenPLC, I got the most popular brands of PLCs, including Siemens, Allen-Bradley, Modicon, and Omron, and I set up some lab experiments to find the characteristics and limitations for each of them," he says. "While I was testing the Allen-Bradley one, I found a buffer overflow vulnerability, which has the potential for serious damage."

Also known as a buffer overrun, this particular vulnerability enables a hacker to overflow a piece of the PLC’s memory with more content than it can store, ultimately resulting in a total system crash.

"Imagine that for every message a PLC receives, it gets an empty cardboard box to put the message contents in," explains Alves. "The size of the cardboard box is determined by the size of the message. An attack, however, relies on lying about the size of the message. The hacker says their message will fit in a very small box, while the contents of the message would actually require an extra-large box."

As a result, when the PLC receives the hacker’s message, the contents overlap the area reserved for it. "That causes the nearby areas to be replaced with portions of the contents of the hacker’s message," he says. "And if the nearby areas are storing vital information for the system to function and that information gets replaced, it crashes the system and stalls the PLC completely until it gets rebooted."

The effects would be even more damaging if a hacker decided to fill the message with a virus or malware, which could then be injected into critical parts of the system. "If they managed to do that, they could have the device execute the malware before crashing," he says. "That could cause even more harm, including permanent infection of the device, infection of nearby PLCs, alteration in functionality – you name it."

To alert Rockwell to the flaw, Alves contacted ICS-CERT, which operates within the National Cybersecurity and Integration Center, a division of the Department of Homeland Security's Office of Cybersecurity and Communications; its purpose is to facilitate communication between control system vendors and those who identify vulnerabilities in their products. "I explained the tests I made and gave them the specific message that crashed the PLC," says Alves. "Then they contacted Rockwell and intermediated our conversation." Shorty thereafter, Rockwell released a firmware update that patched the vulnerability.

Since discovering and reporting the flaw, Alves has completed his paper comparing OpenPLC to commercially available PLCs and submitted it for publication. He is also the co-author of a previous article, "Virtualization of Industrial Control System Testbeds for Cybersecurity," which examined the fidelity of a virtual supervisory control and data acquisition testbed to a physical testbed so that the effects of cyberattacks on both systems could be studied.

---