Attending this event?
Welcome to the Interactive Agenda for SecurityWeek’s 2017 ICS Cyber Security Conference! (View the full conference website here)  

(You can register for the conference here)
View analytic
Tuesday, October 24 • 4:15pm - 5:00pm
Not Your Father’s AM Radio Transmission: Exfiltrating Reconnaissance Data from Air-Gapped ICS/SCADA Networks

Sign up or log in to save this to your schedule and see who's attending!

Not Your Father’s AM Radio Transmission: Exfiltrating Reconnaissance Data from Air-Gapped ICS/SCADA Networks By Injecting Ladder Logic Code into PLCs

There are multiple ways that attackers can deploy malware to an air-gapped network, including compromising vendor update mechanisms or infecting USB drives or laptops of third-party contractors who connect directly to the air-gapped network for maintenance purposes. 

In this talk we cover the following scenario: An attacker compromises the air-gapped network with autonomous, self-directed malware that performs reconnaissance to discover the network topology, the specific types of industrial devices connected to it (as with the CrashOverride malware used in the 2016 Ukrainian grid attack), and perhaps sensitive IP such as secret formulas and nuclear blueprints. Once the reconnaissance information has been collected, how do you exfiltrate the data so it can used to plan and mount physical attacks?

Previous researchers have shown how to exfiltrate data from air-gapped networks using RF signals emitted from PCs, but persistent PC-based malware has a high probability of being detected. However, Programmable Logic Controllers (PLCs) don’t use anti-malware programs because they have limited CPU/memory and run embedded real-time operating systems. As a result, they’re ideal targets for compromise using malicious ladder logic (the code used in PLCs).

We’ll explain how to inject specially-crafted ladder logic code into a Siemens S7-1200 PLC. The code uses memory copy operations to generate frequency-modulated RF signals slightly below the AM band (340kHz-420kHz), with the modulation representing encoded reconnaissance data. The signal can then be picked up by a nearby antenna and decoded using a low-cost Software-Defined Radio (SDR) and a PC. The receiving equipment can be located just outside the facility or even mounted on a drone flying overhead.

Finally, we’ll show a live demo and discuss various ways to defend against this type of attack.

avatar for David Atch

David Atch

VP of Research, CyberX
David is a world-class ICS cybersecurity expert with many years of real-world experience in malware analysis, threat hunting, and incident response.  In February 2016, he uncovered Operation BugDrop, a large-scale cyber-espionage campaign targeting critical infrastructure design and other firms in the... Read More →

Tuesday October 24, 2017 4:15pm - 5:00pm

Attendees (24)