Connect with us

Hi, what are you looking for?



Logic Bombs Pose Threat to ICS: Researchers

Ladder logic bombs pose threat to ICS

Logic bombs can pose a significant threat to industrial control systems (ICS), particularly programmable logic controllers (PLCs), researchers warned in a paper published last week.

Ladder logic bombs pose threat to ICS

Logic bombs can pose a significant threat to industrial control systems (ICS), particularly programmable logic controllers (PLCs), researchers warned in a paper published last week.

A logic bomb is a piece of code designed to set off a malicious function when specified conditions are met, such as a time and date, or when data provided by a sensor has a certain value.

It is not unheard of for malware to use logic bombs (e.g. Stuxnet and Shamoon), but experts at IIIT Hyderabad in India and the Singapore University of Technology and Design believe there is not enough research on the threat posed to ICS.

Their research has focused on PLCs and ladder programming, which is used to write software for these devices. That is why this type of threats have been named by the experts “ladder logic bombs.”

PLCs are known to have vulnerabilities and researchers have warned of several potential threats, including worms and stealthy pin control attacks.

In an effort to prevent certain attacks, PLC manufacturers have implemented mechanisms designed to block unauthorized firmware from being uploaded to a device. On the other hand, researchers discovered that there is no authentication or security checks in place to ensure that unauthorized logic updates cannot be delivered to a PLC.

An attacker who has physical access to the targeted PLC – in some configurations attacks can also be conducted over the network – can upload malicious logic to the device and hijack it. The attacker can download and upload logic configurations using specialized software, such as Studio 5000 or ControlLogix from Rockwell Automation.

Advertisement. Scroll to continue reading.

Related: Learn More at the 2017 Singapore ICS Cyber Security Conference

Researchers believe ladder logic bombs can be very dangerous considering that the attacker needs to access the targeted PLC only once. The “bomb” can then be triggered externally, using a specified input, or it can be triggered internally by a system state, certain instructions or at a preset date and time.

According to experts, ladder logic bombs can be used for a wide range of purposes, including denial-of-service (DoS) attacks, changing the PLC’s behavior, and obtaining data. These attacks have been tested in real-world ICS environments.

In the case of DoS attacks, hackers can add a piece of malicious logic to cause the PLC to stop working, potentially damaging the process it controls. Once triggered, the “bomb” can enter an infinite loop and make the device useless.

Ladder logic bombs can also be leveraged to manipulate data, such as sensor readings, which can be used to cover up other unauthorized activities or cause the device to enter an error state.

Attackers can also secretly log sensitive PLC data by using FIFO buffers and recording data into arrays on the device. These threats can go undetected for an extended period of time by not interfering with the device’s normal operation.

In order to prevent these types of attacks, researchers have proposed both network-based countermeasures and centralized validation of running code, which includes the use of authentication or cryptographic signatures for logic updates.

Logic bombs were also used recently in the simulation of a ransomware attack on industrial systems. Researchers showed how specially designed malware can hijack and potentially cause serious damage to a water treatment plant.

Related: 2017 Singapore ICS Cyber Security Conference Call for Papers is Open

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.