Last year, a paper “You Snooze, You Lose: Measuring PLC Cycle Times Under Attacks” was published by the researchers of the German universities Hochschule Augsburg and Freie Universität Berlin. It demonstrated how a denial of service (DoS) attack affected programmable logic controllers (PLCs). The research showed that network flooding could disturb the physical processes of a device. The study involved 16 devices from six different vendors, which clearly showed that network traffic could influence the processes controlled by industrial control systems (ICS). The research concluded that controllers with default configurations are susceptible to DoS attacks.
Another research also found that over half of attacks that targeted at the technology sector DoS/DDoS attacks accounted for 25% of them.
On December 12, 2019, ICS-CERT released an advisory related to the CVE-2019-10953 flaw. Apart from risk evaluation and technical details, it contained responses of the affected vendors. Well, according to the National Vulnerability Database, the controllers with CVE-2019-10953 flaw when flooded with network packets face DoS attack. The security loophole received a CVSS (Common Vulnerability Scoring System) score of 7.5, after which it was declared as a “high severity” flaw.
Phases of a PLC cycle time
Cybersecurity experts believe that DoS attacks impact industrial systems more than the IT systems. It aims at the cycle time of a PLC, which consists of four critical phases –
- Reading inputs (for example, use of sensors),
- Executing program,
- Performing diagnostics and communication tasks and
- Generating output.
These four phases combine to form a PLC cycle time, usually ranging from 1 to 10 milliseconds. The DoS targets this cycle time to cause major disruptions in the PLC controlled processes.
PLCs react to this flaw differently – sometimes, they completely stop updating outputs while others respond by slowing down the performance. As the threat actors don’t need to know the specifics of the physical processes controlled by the PLCs before launching crafted network traffic, the attack can be launched in two ways –
- From the internet directly
- From a compromised device located on the same network
This form of DoS attack affects not only the network side of the PLC but also the processes controlled by the affected PLC. Interestingly, it doesn’t have any impact on network connectivity.
Organizations need the intervention of a Certified Network Defender (C|ND) who can identify potential threats and keep devices safe from cybercriminals. The program helps the attendees to protect, detect, and respond to the network attacks, including DoS attacks. Their skills save enterprises from numerous network-based threats. It also offers hands-on experience to make you job ready.