TEAM82 RESEARCH
EXECUTIVE SUMMARY
Programmable logic controllers (PLCs) are indispensable industrial devices that control manufacturing
processes in every critical infrastructure sector. Because of their position within automation, threat actors
covet access to PLCs; several industrial control system malware strains, from Stuxnet to Incontroller/
Pipedream, have targeted PLCs.
But what if the PLC wasn’t the prey, and instead was the predator?
This paper describes a novel attack that weaponizes popular programmable logic controllers in order
to exploit engineering workstations and further invade OT and enterprise networks. We’re calling this the
Evil PLC Attack.
The attack targets engineers working every day on industrial networks, configuring and troubleshooting
PLCs to ensure the safety and reliability of processes across critical industries such as utilities, electricity,
water and wastewater, heavy industry, manufacturing, and automotive, among others.
The Evil PLC Attack research resulted in working proof-of-concept exploits against seven market-leading
automation companies, including Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO, and
Emerson.
This paper will describe in depth, not only how engineers diagnose PLC issues, write, and transfer bytecode
to PLCs for execution, but also how Team82 conceptualized, developed, and implemented numerous novel
techniques to successfully use a PLC to achieve code execution on the engineer’s machine.
Below is a list of affected vendors and products, as well as links to their respective advisories and
remediations (or mitigations).
Views: 17
