Team82 has identified a novel attack that weaponizes programmable logic controllers (PLCs) in order to exploit engineering workstations. The method is being termed the ‘Evil PLC Attack’ by Team82.
The attack method could target engineers working every day on industrial networks, configuring and troubleshooting PLCs to ensure the safety and reliability of processes across critical industries such as utilities, electricity, water and wastewater, heavy industry, manufacturing, and automotive, among others.
PLCs have for more than a decade been the focus of advanced attacks. From Stuxnet to the recently uncovered Incontroller/Pipedream platform, threat actors try to reach and control PLCs in order to modify the processes they oversee, cause disruption, physical damage, and threaten personal safety. But what if an attacker was able to flip that scenario on its head and turn the PLC into the predator rather than the prey? What if there was a way to weaponize PLCs in order to exploit engineering workstations, the powerful platforms used to configure and maintain PLCs? These workstation applications are often a bridge between operational technology networks and corporate networks. An attacker who is able to compromise and exploit vulnerabilities in an engineering workstation could easily move onto the internal network, move laterally between systems, and gain further access to other PLCs and sensitive systems.
Team82’s Evil PLC Attack research resulted in working proof-of-concept for such an exploit against seven market-leading automation companies, including Rockwell Automation, Schneider Electric, GE, B&R, XINJE, OVARRO, and Emerson.
