Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Weaponized PLCs Can Hack Engineering Workstations in Attacks on Industrial Orgs

Researchers have shown how hackers could weaponize programmable logic controllers (PLCs) and use them to exploit engineering workstations running software from several major industrial automation companies.

Researchers have shown how hackers could weaponize programmable logic controllers (PLCs) and use them to exploit engineering workstations running software from several major industrial automation companies.

PLCs can be a tempting target for threat actors as they can be abused to cause damage and disruption, and to make changes to the processes they control. This is why they are often seen as the ultimate goal of an attacker.

However, researchers at industrial cybersecurity firm Claroty wanted to show that PLCs can also be used as a point of entry into an organization, being leveraged to target the engineering workstations connected to them and from there the rest of the internal network.

In such an attack, named ‘Evil PLC Attack’, the hacker first compromises the PLC, which can often be exposed to the internet and unprotected, and then tricks an engineer into connecting to the PLC from the engineering workstation. This could be achieved by causing a fault on the PLC, which an engineer would likely want to investigate.

During this research, vulnerabilities have been discovered in engineering workstation software from ABB (B&R Automation Studio), Emerson (PAC Machine Edition), GE (ToolBoxST), Ovarro (TwinSoft), Rockwell Automation (Connected Components Workbench), Schneider Electric (EcoStruxure Control Expert) and Xinje (XD PLC Program Tool).

Nearly a dozen CVE identifiers have been assigned to the vulnerabilities. Over the past year and a half, impacted vendors have been releasing advisories to inform their customers about the flaws and associated patches and mitigations.

“In most cases, the vulnerabilities exist because the software fully trusted data coming from the PLC without performing extensive security checks,” Claroty noted.

The vulnerabilities found by Claroty are triggered when an engineer initiates an upload procedure. This includes transferring metadata, configurations and textcode from the PLC to the workstation. In the case of an Evil PLC attack, the data transferred from the PLC is crafted so that it triggers the security hole and executes malicious code on the workstation. Once the workstation has been compromised, the attacker can move to other systems on the network.

Advertisement. Scroll to continue reading.

Learn more about vulnerabilities in industrial systems at 

SecurityWeek’s ICS Cyber Security Conference

The researchers have described three different theoretical Evil PLC attack scenarios. In the first scenario, the attacker weaponizes a PLC for initial access to an organization. Specifically, the hacker takes control of an internet-exposed PLC and weaponizes it by downloading their code on the device. The attacker then causes a fault to attract the attention of engineers, whose workstation will get exploited when they connect to the PLC in an effort to diagnose it.

In a second theoretical attack scenario, the attacker targets third-party engineers and contractors, which Claroty describes as ‘traveling integrators’. In this scenario, the attacker initially compromises a PLC in a less secure facility that is known to be managed by a system integrator or contractor. The hacker weaponizes the PLC and causes a fault to get the target to connect to the device with their own workstation, which they carry with them to their different job sites. If the attacker can compromise the workstation from the less protected PLC, they can then use that workstation to hack PLCs in other, more secure organizations working with the same contractor.

Evil PLC Attack

Researchers and defenders can also leverage the Evil PLC method against threat actors. They can set up a honeypot where an internet-facing PLC they have weaponized acts as a lure. When a malicious actor connects to the PLC from their own computer and attempts to obtain the currently loaded project from the controller, their device will get compromised.

“This method can be used to detect attacks in the early stage of enumeration and might also deter attackers from targeting internet-facing PLCs since they will need to secure themselves against the target they planned to attack,” Claroty researchers said.

The cybersecurity firm has shared technical details and mitigations for these types of attacks.

Related: Hackers Knew How to Target PLCs in Israel Water Facility Attacks

Related: Hack Exposes Vulnerability of Cash-Strapped US Water Plants

Related: PLC and HMI Password Cracking Tools Deliver Malware

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.