H Plc Resize

Evil PLC attacks in the industrial arena—How bad actors weaponize PLCs

Sept. 30, 2022
What if the PLC wasn’t the prey and, instead, was the predator?

By Sharon Brizinov, Claroty director of security research

Programmable logic controllers (PLCs) are indispensable industrial devices that control manufacturing processes in every critical infrastructure sector. Because of their position within automation environments, threat actors covet access to PLCs and target them frequently.

But what if the PLC wasn’t the prey and, instead, was the predator?

How threat actors target PLCs

Bad actors could turn PLCs into weapons for an attack and use them to compromise engineering workstations. An attacker with a foothold on a workstation can have access to anything else on the OT network, including other PLCs.

Our research team has developed an “evil PLC attack technique” that turns PLCs into the tool rather than the target. By weaponizing one PLC and luring an engineer to connect or diagnose the affected PLC, an attacker may, in turn, compromise the engineer’s workstation. The engineer’s machine is the best source for process-related information and would have access to all the other PLCs on the network. With this access and information, the attacker can easily alter the logic on any other PLC in the network, disrupt the process, and cause harm that could impact physical safety.

The quickest approach for a bad actor to lure an engineer to connect to an infected PLC would be for the attacker to cause a malfunction or a fault on the PLC. That will compel the engineer to connect using the engineering-workstation software as a troubleshooting tool, thus initiating the “evil PLC attack.”

Preventing an attack

By focusing on the PLC as the tool rather than the target, it's easier to understand how to prevent an attack. With this access and information, the attacker can easily alter the logic on any PLC, but by safeguarding the entire workstation, you’re able to prevent an attack in its entirety.

Researching our “evil PLC attack” resulted in working proof-of-concept exploits against seven market-leading automation companies. Engineering-workstation software gives engineers and technicians the tools they need to diagnose, control and maintain the PLCs. Using the engineering workstations it is possible to perform health checks on the PLC, view the current state of all its components (including memory variables and physical aspects of the I/O), do firmware upgrades, and modify the PLC code logic.

Preparedness and awareness are crucial

Evil PLC attacks aren’t common, but that doesn’t mean they aren’t a threat. Asset owners and operators need to update to the latest versions of the affected products in their environments to help ensure these attacks are stopped before ever becoming an issue.