Researchers from Claroty identified a new attack technique in which threat actors first infiltrate engineering workstations and then the rest of the OT networks using Programmable Logic Controllers (PLCs). Threat actors find PLCs appealing targets because they can cause damage, disruption, and change processes they control.
The attack, named Evil PLC attack, impacts major industrial automation companies such as Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO, and Emerson.
Attack methodology
- The attacker compromises the internet-exposed PLC first, which prompts and also deceives the unwary engineer into connecting to the controller from the engineering workstation.
- Usage of a compromised engineering workstation gives an attacker easy access to other PLCs and related sensitive systems within an organization.
- The attack also reveals vulnerabilities in the engineering workstations because the security software trusted incoming data from the PLC and refrained from an extensive security check.
- The data transferred from the PLC is used to trigger the security hole and execute malicious code on the workstation.
- The vulnerabilities are triggered only when an engineer initiates an upload procedure that includes transferring metadata and text code from the PLC to the workstation.
- Once the workstation has been compromised, the attacker moves to the remaining systems on the network.
The bottom line
The Evil PLC method can be used against threat actors by the researchers. Attackers can compromise their devices when they connect to the PLC from their own computers and attempt to retrieve the currently loaded project. Mitigating such attacks requires having authorized engineers and operators access PLCs physically and over the network, verifying the engineering station using authentication mechanisms, monitoring OT network traffic for abnormal activity, and applying patches in a timely manner.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_506782117.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/1328_shutterstock_616324022.jpg)
