Evil PLC Attack: Weaponizing PLCs

Programmable logic controllers (PLCs) are indispensable industrial devices that control manufacturing processes in every critical infrastructure sector. Because of their position within automation, threat actors covet access to PLCs; several industrial control system malware strains, from Stuxnet to Incontroller/Pipedream, have targeted PLCs.

But what if the PLC wasn’t the prey, and instead was the predator?

This paper describes a novel attack that weaponizes popular programmable logic controllers in order to exploit engineering workstations and further invade OT and enterprise networks. We’re calling this the Evil PLC Attack.

The attack targets engineers working every day on industrial networks, configuring and troubleshooting PLCs to ensure the safety and reliability of processes across critical industries such as utilities, electricity, water and wastewater, heavy industry, manufacturing, and automotive, among others.

The Evil PLC Attack research resulted in working proof-of-concept exploits against seven market-leading automation companies, including Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO, and Emerson.

This paper will describe in depth, not only how engineers diagnose PLC issues, write, and transfer bytecode to PLCs for execution, but also how Team82 conceptualized, developed, and implemented numerous novel techniques to successfully use a PLC to achieve code execution on the engineer’s machine.