Comparing Stealth Security Issues: PLC RUN Mode and Webcam LEDs
Recently I read about a vulnerability (discovered every odd year) that on a laptop the webcam may be on without the accompanying LED also on. So, the user doesn’t notice (s)he’s being watched.
How is this possible? In simple terms, the LED is under software control, separate from the camera. So a piece of malware can stealthily switch the camera on without the LED lighting up.
Now in the Operational Technology (OT) space, the owners of Programmable Logic Controllers (PLC) are always asked to put the ‘mode’ switch of their PLC in the ‘RUN’ position. This switch (physical or toggle) often has settings, such as ‘RUN’ and ‘PROGRAM’ (in a few variations depending on the vendor).
PLCs are part of the control system. As our glossary page on OT security explains: “These systems receive data from sensors, make decisions, and regulate physical processes. This category comprises PLCs, Distributed Control Systems (DCS), and Supervisory Control and Data Acquisition (SCADA) systems.”
Now I was thinking, if malware can switch off a webcam LED, could it also cause the mode switch of a PLC or other operational functions to be ignored?
For those with limited OT knowledge, a PLC’s program can be overwritten within PROGRAM mode, but in ‘RUN’ mode it cannot be … This is a simple safeguard to protect the currently running PLC program. It was originally invented in the 1970’s to prevent unwanted changes by local staff. Attackers of OT systems didn’t exist yet. Only the person in possession of the physical switch could download a new PLC program by switching to ‘PROGRAM’ mode.
Good housekeeping practice then mandates that, when done, the mode is then set back to ‘RUN’ mode (and the switch is removed).Later, when PLCs got connected to networks and could be attacked by hackers, the mode switch got a new function: Protection against remote attacks.
PLC Program Mode Attacks: Not Hypothetical
This is only hypothetical, right? Definitely not! It happened in 2017 in Saudi-Arabia where a Schneider Triconex safety PLC was attacked with Triton malware. Allegedly, the PLC mode switch was not in RUN mode. This specific attack targeted a petrochemical refinery – and could have been incredibly lethal were it not for emergency shutdown systems.
“Worst-case scenario here, you’re dealing with a potential release of toxic hydrogen sulfide gases, a potential for explosions from high pressure, high temperature,” said Julian Gutmanis, a cybersecurity contractor, as quoted by E&E News/Politco.
Here’s some important malware that is specific to OT that our security researchers have been tracking: Between 2010 and 2017 five OT-targeting malware were identified (Stuxnet, Havex, BlackEnergy3 Industroyer and Triton). However, since 2022 there have been five more significant OT malware discoveries, including Industroyer2 and INCONTROLLER in 2022, COSMICENERGY in 2023, Fuxnet and FrostyGoop/BUSTLEBERM in 2024.
Go deeper: Read the full Vedere Labs analysis: ICS Threats: Malware Targeting OT? It’s More Common Than You Think
One of the most infamous industrial and stealth security attacks was Stuxnet (in 2010) which is coming up to its 15th anniversary this year. The specific targets were Siemens PLCs controlling uranium enrichment centrifuges at the Natanz facility in Iran. The initial access method was an infected USB drive, since the target network was air-gapped. The malware was designed to make the centrifuges spin irregularly while still informing engineers that everything was operating as usual.
My PLC Is in ‘RUN’ mode, Am I 100% Safe?
It all depends on what’s behind the physical toggle switch. If there is an (electronic) signal directly into the PLC circuitry allowing for READ-only access to program memory, then the PLC is properly protected against unwanted changes. But suppose that the switch setting is just an input to the processor, where a piece of software is the sole guardian deciding to enforce READ-only access? Software can be hacked. a PLC well-protected against attackers? Just as the camera LED-light can be switched off, the mode switch could be ignored if malware decides to do so.
But how do we know what’s inside the PLC? We don’t. Only the vendor knows. Alternatively, we could open up a PLC and trace all signals on the printed-circuit board, but that would take some time. Reverse engineering of the PLC runtime binary could also be an option, but this is not simple. Likely, you may need to do both to reach a conclusion.
Unfortunately, vendors don’t disclose details about the innards of their devices. Network monitoring can’t detect the state of the mode switch (as there is no network traffic). However, some network monitoring tools are able to detect a download command to a PLC — including Forescout’s eyeInspect.
Note: The new European Machinery Regulation 2023/1230 requires (safety) PLC’s to be protected against corruption. The regulation takes effect in 2027. This will help bring the mode switch back into the spotlight. Yet, it’s still two years away.
What Can Be Done Until the New Machinery Regulation 2023/1230 Takes Effect?
In the meantime, our Vedere Labs research team advises the following mitigations for OT/ICS security:
- Do not expose IoT/OT/ICS devices directly to the internet, follow CISA’s guidance on providing remote access for industrial control systems.
- Segment the network to isolate IT, IoT and OT devices, limiting network connections to only specifically allowed management and engineering workstations or among unmanaged devices that need to communicate.
- Ensure administrative interfaces (such as web UIs and engineering ports) on connected devices are behind IP-based access control lists or are only accessible from a separate, VPN-protected management VLAN.
- Add authentication to administrative interfaces of IoT and OT devices, such as web UIs and proprietary engineering ports.
- Use an IoT/OT-aware, DPI-capable monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions such as vulnerability exploitation, password guessing and unauthorized use of OT protocols.
- Monitor the traffic of IoT/OT devices to identify those being used as part of distributed attacks.
And, of course: Set the PLC to ‘RUN’ mode!
Learn more: Watch our on-demand webinar featuring research analyst Chris Ray of GigaOm “From Detection to Action: Enhancing OT Security”.
About the Author
Rob Hulsebos is with the Forescout OT Competence Center since 2018. He has 30 years of experience in industrial networks and machine building, network troubleshooting, OT cybersecurity. He is also active as a teacher and a published author.