Abstract

In the past, it was not possible to update the underlying software in many industrial control devices. Engineering teams had to “rip and replace” obsolete components. However, the ability to make firmware updates has provided significant benefits to companies who use Programmable Logic Controllers (PLCs), switches, gateways and bridges, as well as an array of smart sensor/actuators. While these updates — which include security patches when vulnerabilities are identified in existing devices — can be distributed by physical media, they are increasingly downloaded over Internet connections. These mechanisms pose a growing threat to the cyber security of safety-critical applications, which is illustrated by recent attacks on safety-related infrastructures across the Ukraine. This paper explains how malware can be distributed within firmware updates. Even when attackers cannot reverse engineer the code necessary to disguise their attack, they can undermine a device by forcing it into a constant upload cycle in which the firmware installation never terminates. In this paper, we present means of mitigating the risks of firmware attacks on safety-critical systems as part of wider initiatives to secure national critical infrastructures. Technical solutions, including firmware hashing, must be augmented by organizational measures to secure the supply chain within individual plants, across companies and throughout safety-related industries.