Safety is not Security: Exploring Authentication and Authorization in Mitsubishi Electric iQ-R Safety PLCs

Programmable Logic Controllers (PLCs) are utilized to orchestrate industrial processes in critical infrastructure. In particular, Safety PLCs are used to trigger safety systems into immediate action to prevent personnel injury, equipment damage, or a cyber-physical event.

The Mitsubishi Electric iQ-R Series SFCPU is a popular family of safety controllers and is one of the few PLCs that require a set of credentials, which increases their security. The International Electrotechnical Commission (IEC) has labeled these controllers an IEC 61508 SIL 3 certified product and safe to deploy in critical environments. However, cybersecurity has not been considered into this evaluation.

In this presentation, Nozomi Networks Labs will disclose undocumented implementation details of authentication and authorization in these controllers, and present a series of 0-day vulnerabilities discovered in our analysis. By chaining these flaws together, we demonstrate how an unauthenticated cyber adversary can disrupt the controller’s safety logic and simultaneously cut off all legitimate users, leaving them with no other option except to physically access the device to restore it. We will conclude the presentation with some key actions to solve or help mitigate the risks.