In OT networks, it is common knowledge that Purdue Reference Model Level 1 (L1) devices such as PLCs and DCS controllers are notoriously insecure. Regardless, L1 devices that sit at the intersection of multiple, mixed networks are often still treated as security perimeters without the corresponding hardening and risk profiles that would be accorded to workstations in a similar position.
Low-level RCE capabilities on such L1 devices can give attackers the ability to cross security perimeters in interfaced Basic Process Control System (BPCS)/Safety Instrumented System (SIS) architectures or perform detailed manipulation of equipment in fieldbus networks nested behind PLCs in order to bypass interlocks and safety constraints that would otherwise mitigate attacks restricted to manipulation of the L1 device itself.
In this talk, we will present an overview of different real-world BPCS/SIS architectures and 3rd party package unit setups and enumerate relevant lateral movement options at the lowest Purdue levels. We will illustrate some of these TTPs with an in-depth discussion and demonstration of a multi-stage exploit chain incorporating previously undisclosed authentication bypass and RCE vulnerabilities against a fully patched, widely used PLC in a realistic setup.
Finally, we will provide hardening suggestions to restrict attacker lateral movement at the lowest Purdue levels.