Industrial Control Systems (ICS) Hardware Hacking

In industrial environments the chances that you are using special purpose hardware like ROS, ARM, is high, and the odds that the OEM had introduced security in the design of it is low. It has been demonstrated many times that industrial hardware and software was not designed with security in mind, as these systems were historically isolated from office network environments and the Internet reducing the exposure to potential attackers. With the progress of technology and increased demand from business for real time data and remote access services, control systems are now interconnected with other company networks, exposing the hardware, services and protocols to attackers, and many examples already proved that those are not ready to deal with the attacks.

In the meantime, availability of cheap hardware, the maker movement and the explosion of IOT, has facilitated the security research on hardware and made people to investigate in areas that before it was reserved for a selected minority with access to very expensive equipment. Security researchers started to focus more on hardware thanks to appearance of tools like Jtagulator, Shikra, Bus Pirate, Software Defined Radio dongles, Logic Analyzers and many more, increasing the publications an disclosure of security vulnerabilities in the Car industry like the Chevrolet remote driving hack, health industry on different monitoring devices and Industrial devices and protocols like we did with WirelessHART which affects multiple vendors.

A growing area of concern for hardware devices is the supply chain security, where hardware can be tampered in different parts of the chain, by adding "implants" to provide backdoors, exfiltrate data, etc. This was clearly depicted by Snowden leaks about Tailored Access Operation unit (TAO).


"Here’s how it works: shipments of computer network devices (servers, routers, etc.,) being delivered to our targets throughout the world are intercepted. Next, they are redirected to a secret location where Tailored Access Operations/Access Operations (AO-S326) employees, with the support of the Remote Operations Center (S321), enable the installation of beacon implants directly into our targets’ electronic devices. These devices are then re-packaged and placed back into transit to the original destination. All of this happens with the support of Intelligence Community partners and the technical wizards in TAO."

This is an example of a state funded program which is highly targeted, but there are other cases like the recent Delta Electronics front companies linked to the dragonfly phishing campaign, or the DeathRing malware that was preinstalled in many smart phones in Asia and India.

If you are a vendor or an asset owner and you want to ensure that the components that you produce or operate are secure, or if you are looking after the security of critical infrastructure, Applied Risk can help you to perform in depth hardware and embedded security assessment to reduce the attack surface of your devices increasing the security and safety of your control systems environment.