New Attack Weaponizes PLCs to Hack Enterprise and OT Networks

  • A new attack can weaponize programmable logic controllers (PLCs) to exploit engineering workstations and subsequently invade OT and enterprise networks.

    The attack, which targets engineers working on industrial networks, configuring and troubleshooting PLCs, was developed by the Team82 group by Claroty, who called it the “Evil PLC Attack.”

    According to the security experts, the research resulted in working proof-of-concept exploits against seven market-leading automation companies: Rockwell Automation, Schneider Electric, GE, B&R, XINJE, OVARRO and Emerson, respectively.

    For context, PLCs are an important part of industrial devices, in charge of controlling manufacturing processes in critical infrastructure sectors. Because of their crucial role in OT systems, they have been the focus of advanced attacks for a long time.

    “From Stuxnet to the recently uncovered Incontroller/Pipedream platform, threat actors try to reach and control PLCs in order to modify the processes they oversee, cause disruption, physical damage and threaten personal safety,” Team82 wrote.

    Now, the security researchers demonstrated it is possible to “flip that scenario on its head” and “turn the PLC into the predator rather than the prey.”

    To do so, Team82 found vulnerabilities in each of the seven engineering workstation platforms that allowed them to weaponize the PLC.

    “When an upload procedure is performed (involving the transfer of metadata, configurations, and text code from the PLC to the engineering workstation) our specifically crafted auxiliary pieces of data would cause the engineering workstation to execute our malicious code.”

    In other words, the technique weaponizes the PLC with data that isn’t necessarily part of a normal static/offline project file and enables code execution upon an engineering connection/upload procedure.

    “It’s important to note that all the vulnerabilities we found were on the engineering workstation software side and not in the PLC firmware,” Team82 clarified. “In most cases, the vulnerabilities exist because the software fully trusted data coming from the PLC without performing extensive security checks.”

    Team82 confirmed all of the findings were reported to the seven affected vendors in accordance with the company’s coordinated disclosure policy. The company said most vendors issued fixes, patches or mitigation plans against the Evil PLC Attack.

    “That said, getting to 100% patching level, especially in critical infrastructure, is not easy and therefore requires additional mitigation steps to reduce the risk of the Evil PLC Attack,” read the advisory.

    To further limit the impact of the Evil PLC Attack, Team82 recommended companies strictly segment their networks, configure the PLC to use a client authentication mechanism – preferably a Public Key Infrastructure (PKI) system – monitor OT network traffic, and keep all systems up to date.