ICSMay 31, 2022PLC Hacking (Pt. 1)

Programmable Logic Controllers (PLCs) are industrial computers used to control different electro-mechanical processes for use in manufacturing, plants, or other automation environments. PLCs can range from small modular devices with tens of inputs and outputs (I/O) in a housing integral with the processor, to large rack-mounted modular devices with a count of thousands of I/O, and which are often in networks containing other PLC and SCADA systems. PLCs help in the functioning of critical infrastructure. They have been widely adopted as high-reliability automation controllers suitable for harsh environments.  

Even though PLCs are used on mission critical applications such as nuclear power plants, they were not designed with cybersecurity in mind. An example of an ICS attack is Stuxnet, which targeted the nuclear program of Iran. The industrial cybersecurity industry has grown significantly in recent years. More industries are following the Purdue Model for segmenting the Operational Technology (OT) Network from The Informational Technology (IT) Network to improve their cybersecurity posture. More information regarding the Purdue model can be found here. 

In our “PLC Hacking” series, we are going to cover different methods of interacting with PLCs, the different protocols which they use, and to demonstrate their inherent lack of security protection. In this particular blog, we will be looking at setting up the PLC and writing a ladder logic program into it. 

Requirements: 

  • Koyo CLICK C0-10DRE-D PLC and its power supply. Link here
  • A Windows PC/VM with an ethernet port for configuring the PLC using CLICK software.
  • A Kali Linux VirtualBox VM as an attack machine. 
  • A TP-LINK smart switch. Link here.
  • Ethernet Cables. 
  • Electrical wires. 

Power up the PLC using a 24V 2A DC power supply. Wire up the Windows PC and the PLC to the switch. Also set the network interface on Kali Linux’s VirtualBox settings to “Bridged Mode”. Then, download and install the free CLICK software on the Windows machine. After installation, we see the following screen on opening the application. 

Click on “Connect to PLC”. We will now be presented with the following screen:

Make sure that the PLC, Windows PC, Switch and Linux VM are on the same subnet. For example, assign the following static IP addresses on a 10.0.1.0/24 subnet. 

  • Switch: 10.0.1.1 
  • PLC: 10.0.1.10 
  • Windows PC: 10.0.1.20 
  • Kali Linux: 10.0.1.30 

If the subnet of the PLC does not match, click the “Edit…” button (see screenshot above), and assign the preferred IP. It should look similar to this.

The network settings on our Windows machine are shown below. 

Kali Linux’s network settings are shown below:

Now, we’ll proceed with connecting to the PLC. 

Select “Read the project from the PLC” and press “OK”. This option will read the current project from the PLC, if any.

A new project should look similar to the screenshot below. 

Now, we’ll be performing a bit of PLC programming using Ladder logic. We’ll create a simple program that allows us to push buttons and turn on lights. A ladder diagram represents a control program in an electrical wiring framework. The power sources are the vertical lines (ladder), while the control circuits are the horizontal lines (rungs). 

The first step is to drag a NO Contact (from the instruction list) to rung number one. 

Then, we’ll proceed to select the address by clicking the Address button on the right-hand side, as shown in the following screenshot: 

A dialog box will appear, allowing us to select an address from the list of addresses available on Koyo Click. 

Double-click the first address; that is, “X001” and click “OK”.

So, now that we have an input, we’ll need an output. Drag the Out function under the Coil section of the “Instruction List” menu on the right-hand side of the user interface to the (NOP) location at the end of rung 1, as shown in the following screenshot:

Once the function locks in, it will create a dialog box, asking the programmer to configure Bit Memory addressing, as shown here:

Click the memory address picker icon; An Address Picker dialog box pops up. The following screenshot shows that the address picker automatically displays the real-world list of output addresses.

Pick Y001 as the output address for the coil that we placed onto rung 1 and select OK. As shown in the following screenshot, it has auto-populated the Bit Memory Address1 field.

Repeat the steps shown above on rung 2, 3 and 4 with X002-X004 inputs and Y002-Y004 outputs respectively. 

Next, we need to add an END function to tell the program that we have concluded all operations. From the “Instruction List” menu, under the “Program Control” heading, select and drag the END function to the (NOP) location at the end of rung 5, as shown in the following screenshot: 

After we add the END function, we’ll check for syntax errors. It’s located under the “Program” tab.

In the output window, we should see the outcome of the syntax check.  

To write the project to PLC, select the “Write Project into PLC” option from the PLC menu, as shown in the following screenshot.

Note: Change the PLC mode to STOP before writing a project.

Continue by clicking OK. 

If everything goes smoothly, we should see a Transfer completed dialog box, as shown here: 

Next, you will be asked to change the PLC Modes setting from STOP to RUN, as shown here: 

Select OK to put the PLC in RUN mode. 

Now that the project has been written to the PLC and the mode has been changed to RUN, we can finally test it out using local inputs X1-X4 as we have previously configured. C1 stands for Common 1. Y1-Y4 are the outputs. 

The input voltage for our C0-10DRE-D PLC is 24V DC. Since our power supply is also 24V, we’ll power our inputs from the same terminal. If all the wiring is done correctly, connecting the inputs X1-X4 to our 24V power supply will cause the coil to energize and we should see corresponding red lights on Y1-Y4, as shown here: 

In this blog, we learned how to setup a connection with the Koyo CLICK PLC and to write a basic ladder logic program. We wired up X1-X4 inputs and observed how outputs Y1-Y4 lights up respective to their inputs. In our PLC Hacking Part 2 blog, we will delve into overriding data and how to interact with the PLC using industrial communication protocols like Modbus TCP and Ethernet/IP. 

References:

By partnering with Redfox Security, you’ll get the best security and technical skills required to execute an effective and a thorough penetration test. Our offensive security experts have years of experience assisting organizations in protecting their digital assets through penetration testing services. To schedule a call with one of our technical specialists, call 1-800-917-0850 now.

Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. With a combination of data-driven, research-based, and manual testing methodologies, we proudly deliver robust security solutions.

Redfox Security Team

by Redfox Security Team

Redfox Security is a fast-growing cyber security consulting firm, spread across 4 countries. With over 10 years of global security consulting experience, we help businesses strengthen their security posture. Our mission is to help businesses grow securely with our top-line cyber security consulting services – and that’s exactly what we do.