PLCs can be weaponized in a novel attack to take advantage of engineering workstations and then infiltrate OT and enterprise networks.
The "Evil PLC Attack" was developed by the Team82 group of Claroty, and it targets engineers who work on industrial networks, configure, and troubleshoot PLCs. Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO, and Emerson engineering workstation software are all impacted by the problem.
Security experts claim that the research produced functional proof-of-concept vulnerabilities for seven of the industry's top automation businesses, including Rockwell Automation, Schneider Electric, GE, B&R, XINJE, OVARRO, and Emerson.
Industrial gadgets that regulate production processes in essential infrastructure areas must include programmable logic controllers. PLCs are set up to start and halt processes, as well as to produce alarms, in addition to orchestrating the automation activities.
It is therefore not unexpected that PLCs have been the target of sophisticated attacks for more than a decade, starting with Stuxnet and continuing with PIPEDREAM aka INCONTROLLER, with the intention of causing physical outages.
The attack method
- Initially skeptical engineers connect to the compromised PLC using the engineering workstation software as a diagnostic tool after an opportunistic adversary purposefully causes a problem on an internet-exposed PLC.
- When an engineer performs an upload operation to acquire a functional copy of the existing PLC logic, the con man takes advantage of the previously unknown platform weaknesses to execute malicious code on the workstation.
- According to the researchers, "the PLC saves other forms of data that are used by the engineering software and not the PLC itself," which makes it possible for the unneeded data to be altered in order to control the engineering software.
- Study shows "that the fact that the PLC retains extra forms of data that are used by the engineering software and not the PLC itself" creates a scenario in which the unused data saved on the PLC can be altered to manipulate the engineering software.
In other words, the approach allows code execution upon an engineering connection/upload operation by weaponizing the PLC with data that isn't necessarily a part of an offline project file.
According to the coordinated disclosure policy of the business, Team82 certified that all of the findings were communicated to the seven affected vendors.
According to the business, the majority of manufacturers released mitigation plans, patches, or solutions for the Evil PLC Attack.
![](https://pinterest.com/pin/create/bookmarklet/?media=https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzYPh2XUPfHcIUoMzJR6hlTjlJrF9mD4t2AnoQ-g4UDF7atR9DRsSdBi61If_KOcA7nXhFAFmXy-reWeh2QqY9060NzH3SWQ66Z8z1LeyA8YBtIlZ23TMgWxYPZA6y0upr4T1lEhcnjNJXKLH1IvYVpA8f5K9ilqzZc0ox7SFd-4eQ7Iei5X_GDXyZNA/s600/warning-2168379_1280.png&url=https://www.cysecurity.news/2022/08/plcs-exploited-by-evil-plc-attack-to.html&description=PLCs Exploited by "Evil PLC Attack" to Breach Networks){kind=link}