Program Organization Units
Jump to navigation
Jump to search
Program Organization Units | |
---|---|
Technique | |
ID | T0844 |
Tactic | Execution, Lateral Movement |
Asset | Safety Instrumented System/Protection Relay, Field Controller/RTU/PLC/IED |
Description
Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects.1 POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic.2 They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON.3
Stuxnet uses a simple code-prepending infection technique to infect Organization Blocks (OB). For example, the following sequence of actions is performed when OB1 is infected 4:
- Increase the size of the original block.
- Write malicious code to the beginning of the block.
- Insert the original OB1 code after the malicious code.
Procedure Examples
- PLC-Blaster copies itself to various Program Organization Units (POU) on the target device. The POUs include the Organization Block, Data Block, Function, and Function Block.3
- Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior.4
Mitigations
- Audit - Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.5
References
- ^ John Karl-Heinz. (n.d.). Programming Industrial Automation Systems. Retrieved October 22, 2019.
- ^ Mark Weber. (2012, March 28). Practical Applications of IEC 61131 in Modern Electrical Substations. Retrieved October 22, 2019.
- a b Spenneberg, Ralf, Maik Brüggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.
- a b Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.
- ^ IEC. (2019, February). Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components. Retrieved September 25, 2020.