Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Network DoS Attack on PLCs Can Disrupt Physical Processes

A team of researchers has demonstrated an interesting type of denial-of-service (DoS) attack on programmable logic controllers (PLCs), where network flooding can lead to the disruption of the physical process controlled by the device.

A team of researchers has demonstrated an interesting type of denial-of-service (DoS) attack on programmable logic controllers (PLCs), where network flooding can lead to the disruption of the physical process controlled by the device.

A paper titled “You Snooze, You Lose: Measuring PLC Cycle Times Under Attacks” was published last year by a group of researchers from the German universities Hochschule Augsburg and Freie Universität Berlin. The ICS-CERT agency in the United States this week published an advisory showing what each impacted vendor said or did in response to the flaw.

The security hole, tracked as CVE-2019-10953, has been classified as “high severity” (CVSS score of 7.5) — industrial cybersecurity professionals have often warned that DoS attacks have a much higher impact in the case of industrial systems compared to IT systems.

PLC vulnerable to DoS attackThe attack targets the cycle time of a PLC. A PLC runs in four phases in a loop: it reads inputs (e.g., sensors), it executes its program, it performs diagnostics and communication tasks, and it writes outputs. The time it takes to execute this loop is called the cycle time, which is typically between 1 and 10 milliseconds.

The researchers have demonstrated that specially crafted network traffic aimed at a PLC can influence this timing, which can cause disruptions to the real-world physical process controlled by the PLC.

“The PLCs react very different, some completely stopped updating their outputs, others slowed down,” Matthias Niedermaier, one of the Hochschule Augsburg researchers involved in this project, told SecurityWeek.

Learn More About ICS Flaws at SecurityWeek’s 2019 ICS Cyber Security Conference

Other researchers previously theorized that network traffic can influence the processes controlled by industrial control systems (ICS) and the experiments conducted by the Hochschule Augsburg and Freie Universität Berlin experts on 16 devices from six vendors have demonstrated it to work in practice. They noted that the attacks were conducted — as much as possible — against PLCs running with default configurations.

An attack can be launched either from the internet (if the targeted device is exposed to the internet) or from a compromised device on the same network as the targeted PLC (including another PLC). The experts pointed out that the attacker does not need to have specific knowledge of the actual process controlled by the PLC or the program running on it.

This type of DoS attack is interesting because although it’s aimed at the network side of the PLC, it actually targets the electrical side (i.e., the process controlled by the PLC) and not the network connectivity.

Only one of the tested devices did not appear to be vulnerable to network flooding attacks. However, only one vendor released actual patches.

The vendors whose products were tested are ABB, Phoenix Contact, Schneider Electric, Siemens, and WAGO. According to ICS-CERT, only Schneider Electric released patches for its Modicon M221 and EcoStruxure Machine Expert products. ABB said the attacks were possible due to the fact that its product was left in the default configuration during the attack, and Phoenix Contact said its newer products were not affected; the company is not releasing patches for the older products and advised customers to implement mitigations.

Siemens said this was not a vulnerability in its products, and WAGO said it was a known problem for some devices and recommended mitigations.

“Since almost all manufacturers are affected in some way, it was difficult to find a good solution here, and thus the process took a long time,” Niedermaier explained. “Personally, I believe that this topic requires further investigation by the manufacturer, as there is a feedback from network traffic to the real world physical process. We as researchers only have a few devices and cannot investigate the huge amount of PLCs.”

Related: Flaw in Schneider PLC Allows Significant Disruption to ICS

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...