Usually, when you think about someone hacking a programmable logic controller, the PLC is the final target of the attack. Adversaries use other systems to get to what will ultimately let them create some kind of industrial havoc.
But a DefCon presentation from Claroty Team 82 poses a question: what if someone used a PLC as a vector rather than the destination?
“Evil PLC” is what the researchers believe is a novel attack scenerio: infecting whichever engineer communicates with a PLC with malicious code. As a proof of viability, Claroty published a set of 11 new vendor-specific vulnerabilities that would allow for the attack. Those vulnerabilities are found in Ovarro TBOX, B&R (ABB) X20 System, Schneider Electric Modicon M340 and M580, GE MarkVIe, Rockwell Micro Control Systems, Emerson PACSystems and Xinje XDPPro platforms. All but the Emerson were issued CVEs.
The idea stems from Claroty wanting to know more about the adversaries targeting their honeypots.
“We asked ourselves, how can we actively attack the attackers? We don't know anything about them. We cannot find them,” said Claroty director of research Sharon Brizinov. “And then we kind of had a eureka moment and we thought, okay, what if the PLC was to be weaponized?”
Claroty accomplished an Evil PLC using a ZipSlip attack against vendors (Emerson, Ovarro, B&R, GE and Xinje), heap overflow against Schneider and a deserialization attack against Rockwell.
There are two attack scenarios that Claroty says Evil PLC would be appropriate for. The first would be if the PLC was the only vector into a secure facility. The attacker could wait for an engineer to connect to the PLC and infect the engineer workstation. That could be expedited by using the newfound access to the PLC to encourage an early inspection.
“Once the attacker weaponized the PLC, maybe they deliberately cause a fault on the PLC. The engineer would be lured to the PLC to check what's going on with it,” said Brizinov.
Another scenario would be to take advantage of the number of PLCs serviced by outside engineers. One engineer connecting to one PLC could spread malicious code across several enterprises.
“Usually PLCs are the crown jewel. When we're talking about classic attack vectors in ICS domains we're always seeing the PLC as the endpoint, the end goal; but if we're playing with those ideas and shifting our thoughts a bit, we can we can get to new ways of how to defend and attack both networks,” Brizinov said.