Going Deeper into Schneider Modicon PAC Security

PRESENTATION SLIDES (PDF)

To provide an economical way to deliver functional control in the gap between the PLC and the DCS, Schneider offer industrial process automation controllers-Modicon PACs（M580, M340, MC80,etc）.Modicon PACs feature redundancy functionality, native Ethernet, embedded cybersecurity，But are these industrial brains, widely used in power, water, and critical infrastructure, really secure?

In this presentation，we will focus on Schneider Modicon PAC controllers and illustrate in two dimensions: Private communication protocol and Password protection mechanism for CPU (Application and Firmware). We will cover:

• The security issues of the private protocol UMAS used by Modicon PAC, not only the undisciplined authorization process, but also analyzing the security of the encryption protocol in the latest version.
• How to quickly build your own fuzz program tools to find 0-days based on the UMAS protocol.
• Disclose the password protection mechanism of Modicon PAC in detail illustrating how to bypass the password-protected security policy and getting controller access to perform dangerous operations such as Application upload, controller state modifications, and key parameter modifications without authorization.

In addition, we will also demo a novel attack that bypasses the Modicon PAC security protection mechanism to insert a malicious ransomware application, proving the impact of Modicon PAC flaws should they be exploited. We conclude with defensive strategies and recommendations for this type of attack.