Breaking the Air Gap: Lateral Movement into Safety Instrumented Systems

TLDR: Modern industrial control systems often rely on non-routable, "dumb" fieldbus protocols that security teams frequently ignore. This research demonstrates how an attacker can move laterally from standard IT/OT networks into critical Safety Instrumented Systems (SIS) by exploiting firmware vulnerabilities in fieldbus couplers and PLCs. By chaining these exploits, an attacker can manipulate physical processes—like a bridge—without triggering alarms or requiring high-level credentials.

Operational Technology (OT) security often suffers from a false sense of security rooted in the belief that "non-routable" protocols or serial connections provide a natural air gap. This assumption is dangerous. As industrial environments modernize, these legacy protocols are increasingly bridged to Ethernet-based networks, creating hidden, unmonitored pathways for lateral movement. If you are performing a penetration test on an industrial site, you cannot afford to stop at the SCADA layer. The real risk lies in the "crawl space" of the network—the fieldbus segments and third-party packaged units that sit between your initial foothold and the physical process.

The Anatomy of a Deep-Level Attack

Lateral movement in OT is rarely about finding a single exploit that grants domain admin. It is about chaining small, seemingly insignificant vulnerabilities to traverse from a standard network segment into the process control layer. The research presented at Black Hat 2023 highlights how attackers can move from a standard Ethernet network, through a fieldbus coupler, and into a Safety Instrumented System (SIS).

The attack path typically begins with an exploit against a fieldbus coupler, such as the Wago 750-852. These devices act as gateways between Ethernet and fieldbus networks like CANopen or PROFIBUS. Because they are often perceived as "dumb" hardware, they rarely receive the same security scrutiny as a primary controller. However, many of these devices run real-time operating systems like Nucleus RTOS, which can be vulnerable to memory corruption.

For instance, CVE-2021-31886 describes a stack-based buffer overflow in the FTP daemon of these couplers. By sending a malformed USER command, an attacker can gain remote code execution. Once code execution is achieved, the attacker can hook the device's Modbus handler, effectively turning the coupler into a proxy. This allows the attacker to tunnel traffic directly into the restricted fieldbus network, bypassing any perimeter firewalls that only inspect standard TCP/IP traffic.

Manipulating the Safety Instrumented System

Once the attacker has a foothold in the fieldbus network, the objective shifts to the SIS. The SIS is the last line of defense in an industrial process, designed to shut down operations if parameters exceed safe limits. Manipulating this system is the "holy grail" for an attacker looking to cause physical damage.

The research demonstrates how to abuse the Schneider Electric UMAS protocol, a proprietary engineering protocol used for PLC management. While Schneider introduced an application password to secure UMAS, the implementation is often flawed. CVE-2021-22779 revealed that the "secret" used for authentication could be read directly from memory, rendering the password protection useless.

Even with patches, attackers can perform a reservation replay attack. Because the protocol lacks freshness—meaning it does not use unique nonces for every session—an attacker can sniff a legitimate authentication exchange and replay the hash to forge a session. Once authenticated, the attacker can use undocumented service codes, such as 0x50, to manipulate memory blocks directly. This allows for the injection of malicious code into the PLC without triggering a project checksum mismatch, effectively hiding the presence of the implant from the engineering workstation.

The Physical Impact: A Movable Bridge Scenario

To understand the real-world impact, consider a movable bridge controlled by these systems. The bridge relies on limit switches to slow down the motor as it approaches the fully closed position. If an attacker can gain code execution on the PLC, they can bypass these limit switches.

By triggering an emergency stop while the bridge is moving at full speed, the attacker forces the counterweight to exert massive, uncontrolled mechanical stress on the bridge leaf. This is not just a digital disruption; it is a physical attack that can cause structural failure. The attacker does not need to know the specific physics of the bridge; they only need to know how to manipulate the PLC's logic to ignore the safety constraints.

Defensive Strategies for Pentesters and Blue Teams

Defending against these attacks requires moving beyond simple network segmentation. Pentesters should focus on identifying multi-homed devices that bridge different network zones, especially those using serial or RF links. These are your primary targets for lateral movement.

For blue teams, the focus must be on visibility. You cannot defend what you cannot see. Standard IT security tools often fail to parse proprietary industrial protocols like UMAS or CANopen. Deploying an OT-specific monitoring solution that can perform deep packet inspection (DPI) on these protocols is essential. Furthermore, monitor for "out-of-band" engineering commands. Any attempt to modify PLC logic or bypass safety functions should trigger an immediate, high-priority alert, regardless of whether the engineering workstation reports that the system is "healthy."

The era of relying on the obscurity of industrial protocols is over. If your network architecture allows a standard workstation to communicate with a fieldbus coupler, you have a path to the physical process. Map your assets, identify the bridges, and assume that any device capable of running code is a potential pivot point. The next step is to audit your own environment for these hidden connections before an attacker finds them for you.