Recently launched NCBJ's Laboratory of Cybersecurity has recorded its first success: the scientists discovered a dangerous loophole in default software of a widely used logic driver PLC utilized, for example, in nuclear installations. The manufacturer has already fixed the issue and recommended the necessary adjustments to all its clients.

Participation of National Centre for Nuclear Research in the programme „Enhancing Computer Security Analysis at Nuclear Facilities”, led by International Atomic Energy Agency, resulted in constructing a specialized laboratory CyberLAB. The laboratory is testing programmable logic controllers (PLCs) regarding their cybersecurity, and in the future it will be researching other industrial controlling systems as well.

Despite the fact, that this laboratory is still under construction, we already achieved considerable success. CyberLAB team has found a loophole in firmware of a PLC Siemens S7–1500 controller. This controller is widely used, for example in nuclear installations. The loophole (vulnerability) allows for an access denial attack, which results in loss of communication with the controller. If it controls critical processes, such attack can be catastrophic. Additionally, in an event of a successful attack, communication can be restored only by manual restart of the controller.

„Testing a system, which normally communicates with other industrial devices through network connection, consists of sending enormous amount of modified input signals” – explains MSc Eng Marcin Dudek (NCBJ). „The signals that we send are computer generated, in accordance with the syntax of communication protocol of the tested device – in this case it was the Profinet protocol. We are checking, whether certain signals or their sequences are resulting in unexpected behaviours. This procedure is called fuzzing or fuzz testing. In the case of S7–1500 controller it turned out, that there are some sequences of input signals, which result in malfunction of the component responsible for network communication, effectively cutting off the controller from any input signals. We managed to identify the danger quite precisely and we sent our observations to Siemens’ engineers.”

The vulnerability was reported to the manufacturer under the procedure developed by CyberLAB, in accordance with good practice of Responsible Disclosure of errors. NCBJ’s team provided a full documentation of the error and script „Proof of Concept”, allowing for an easy recreation of said error in the manufacturer’s lab. The vulnerability was assigned a number CVE-2018-13805 and its details were published on Siemens’ website: https://cert-portal.siemens.com/productcert/pdf/ssa-347726.pdf. Before the publication all current users were given instruction on how to remove the loophole.

The manufacturer appreciates the work of CyberLAB team. People involved in finding the error were mentioned in „Hall of Thanks” of the company: https://www.siemens.com/global/en/home/products/services/cert/hall-of-th.... They are NCBJ employees: Marcin Dudek, Jacek Gajewski, Kinga Staszkiewicz, Jakub Suchorab and Joanna Walkiewicz.

Cybersecurity is one of NCBJ’s priorities and it is a subject of research conducted in the institute. Apart from the construction of before mentioned laboratory, Institute participates, for example, in the project Narodowa Platforma Cyberbezpieczeństwa (National Cybersecurity Platform, NPC; led together with Academic Scientific Computer Network – NASK, Warsaw University of Technology and Institute of Communication). In 2018 CyberLAB team submitted three more project applications to H2020 and RPO programmes. We hope, that their implementation will allow for a considerable expansion of the current lab and an increase in the number of specialists employed in the lab.

Cybersecurity is also a theme of cooperation of teams of CyberLAB and Science and Technology Park „Świek” with University of Euroregional Economy and with Scientific and Research Centre for Fire Protection in Józefów. These institutions organise the yearly scientific conference on security. This year’s ninth edition is titled „Information technology in creating the culture of cyberspace – an aspect of cybersecurity”. It will be held on 25th October in NCBJ in Świerk.