Researchers have shown how hackers could weaponize programmable logic controllers (PLCs) and use them to exploit engineering workstations running software from several major industrial automation companies.
PLCs can be a tempting target for threat actors as they can be abused to cause damage and disruption, and to make changes to the processes they control. This is why they are often seen as the ultimate goal of an attacker.
However, researchers at industrial cybersecurity firm Claroty wanted to show that PLCs can also be used as a point of entry into an organization, being leveraged to target the engineering workstations connected to them and from there the rest of the internal network.
In such an attack, named ‘Evil PLC Attack’, the hacker first compromises the PLC, which can often be exposed to the internet and unprotected, and then tricks an engineer into connecting to the PLC from the engineering workstation. This could be achieved by causing a fault on the PLC, which an engineer would likely want to investigate.
During this research, vulnerabilities have been discovered in engineering workstation software from ABB (B&R Automation Studio), Emerson (PAC Machine Edition), GE (ToolBoxST), Ovarro (TwinSoft), Rockwell Automation (Connected Components Workbench), Schneider Electric (EcoStruxure Control Expert) and Xinje (XD PLC Program Tool).
Nearly a dozen CVE identifiers have been assigned to the vulnerabilities. Over the past year and a half, impacted vendors have been releasing advisories to inform their customers about the flaws and associated patches and mitigations.
“In most cases, the vulnerabilities exist because the software fully trusted data coming from the PLC without performing extensive security checks,” Claroty noted.
The vulnerabilities found by Claroty are triggered when an engineer initiates an upload procedure. This includes transferring metadata, configurations and textcode from the PLC to the workstation. In the case of an Evil PLC attack, the data transferred from the PLC is crafted so that it triggers the security hole and executes malicious code on the workstation. Once the workstation has been compromised, the attacker can move to other systems on the network.
Learn more about vulnerabilities in industrial systems at
SecurityWeek’s ICS Cyber Security Conference
The researchers have described three different theoretical Evil PLC attack scenarios. In the first scenario, the attacker weaponizes a PLC for initial access to an organization. Specifically, the hacker takes control of an internet-exposed PLC and weaponizes it by downloading their code on the device. The attacker then causes a fault to attract the attention of engineers, whose workstation will get exploited when they connect to the PLC in an effort to diagnose it.
In a second theoretical attack scenario, the attacker targets third-party engineers and contractors, which Claroty describes as ‘traveling integrators’. In this scenario, the attacker initially compromises a PLC in a less secure facility that is known to be managed by a system integrator or contractor. The hacker weaponizes the PLC and causes a fault to get the target to connect to the device with their own workstation, which they carry with them to their different job sites. If the attacker can compromise the workstation from the less protected PLC, they can then use that workstation to hack PLCs in other, more secure organizations working with the same contractor.
Researchers and defenders can also leverage the Evil PLC method against threat actors. They can set up a honeypot where an internet-facing PLC they have weaponized acts as a lure. When a malicious actor connects to the PLC from their own computer and attempts to obtain the currently loaded project from the controller, their device will get compromised.
“This method can be used to detect attacks in the early stage of enumeration and might also deter attackers from targeting internet-facing PLCs since they will need to secure themselves against the target they planned to attack,” Claroty researchers said.
The cybersecurity firm has shared technical details and mitigations for these types of attacks.
Related: Hackers Knew How to Target PLCs in Israel Water Facility Attacks
Related: Hack Exposes Vulnerability of Cash-Strapped US Water Plants
Related: PLC and HMI Password Cracking Tools Deliver Malware

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
- Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
- Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
- Cybercriminals, APT Exploited Telerik Vulnerability in Attacks on US Government Agency
- US Charges Two Men Over Use of Hacked Law Enforcement Database for Doxing
- Chinese Cyberspies Hacked DLP Company Serving Military, Government Orgs
Latest News
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- New York Man Arrested for Running BreachForums Cybercrime Website
- Huawei Has Replaced Thousands of US-Banned Parts With Chinese Versions: Founder
- Latitude Financial Services Data Breach Impacts 300,000 Customers
- US Government Warns Organizations of LockBit 3.0 Ransomware Attacks
- New ‘Trigona’ Ransomware Targets US, Europe, Australia
