Programmable logic controllers (PLCs, Programmable Logic Controllers) have been used by cybercriminals as a way of modifying the processes they supervise, causing interruptions, physical damage and threatening personal safety.But a new method of exploiting this technology could make it an even worse vulnerability.Researchers from Claroty Team82, Claroty's research arm, studied a new form of attack, called by them the Evil PLC Attack.Generally, PLCs are the bridge between operational technology networks and corporate networks.An attacker, able to compromise and exploit vulnerabilities on an engineering workstation, can easily move into the internal network, move laterally between systems and gain more access to other PLCs and sensitive systems.The attack targets engineers who work daily on industrial networks, configuring and troubleshooting PLCs to ensure the safety and reliability of processes in critical sectors such as utilities, electricity, water and sewage, heavy industry, manufacturing and automotive, between others.Research into the Evil PLC Attack resulted in proof-of-concept explorations at seven leading automation companies, including Rockwell Automation, Schneider Electric, GE, B&R, XINJE, OVARRO, and Emerson.Most of the affected companies patched or mitigated the vulnerabilities discovered by Claroty Team82 in their respective products, as listed on the Claroty Team82 website.Explaining the Evil PLC AttackOT networks can have dozens of PLCs supervising industrial processes.Thus, an attacker who wants to physically stop a process would first need to perform an extensive enumeration of these controllers to identify which one would be the ideal target.The Evil PLC Attack turns PLCs into tools rather than targets.By arming a PLC, an attacker could compromise the engineering workstation, which is the best source of process-related information and would therefore have access to all other PLCs on the network.With this access and information, the attacker can easily change the logic of any PLC.The trick would be to entice an engineer to connect to a compromised PLC, with the fastest way being the cause of a PLC failure.This is a typical scenario, which an engineer would respond to and connect to, using your engineering workstation application as a troubleshooting tool.That was Claroty Team82's approach.When the researchers decided to research the new attack vector, finding vulnerabilities in each of the seven engineering workstation platforms that allowed them to arm the PLC in a way that, when an upload procedure was performed, it would involve transferring metadata, PLC settings and text code to the engineering workstation.In this way, the specifically crafted auxiliary data would cause the engineering workstation to execute the malicious code.Save my name, email and website in this browser for the next time I comment.This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.