Nexus Podcast: Noam Moshe on Evil PLC Attack

The Evil PLC Attack is a technique developed by Claroty’s Team82 whereby a programmable logic controller (PLC) is weaponized in order to compromise engineering workstations and burrow deeper into the OT and enterprise networks. 

The attack, unveiled last week at DEF CON, involves accessing a PLC and weaponizing it with a malicious executable (a project file, for example) that will be uploaded to the engineering workstation and exploit a vulnerability on the application that enables remote code execution or denial-of-service attacks. At its core, Evil PLC abuses the trust PLCs have with engineering workstations.

PLCs were introduced without connectivity in mind given that an engineer would have to have physical access to a controller in order to download new project files to it and upload data from the PLC. Under that paradigm, the workstation implicitly trusts data transferred from the PLC. 

In this episode of the Nexus podcast, Team82’s Noam Moshe, one of the researchers involved with developing the Evil PLC attack, explains this aspect of the attack along with much more detail about the motivations behind Evil PLC, its implications, and the importance of executing this attack on EWS applications from seven different vendors. 

“Usually when we talk about OT security, we’re talking about protecting PLCs and critical processes,” Moshe said. “When we think about protecting them, we talk about protecting them from malicious or unauthorized access. However, here we’ve taken this whole idea and basically turned it on its head. While the PLC is the main anchor of the network, what if instead of attacking it, we weaponize it and use it to attack other assets on the network.”

Evil PLC brings some scale to attacks against the OT network. Rather than targeting one PLC and the process it manages, this technique broadens an attacker’s reach on the network. 

“The idea is that you use one access to the OT network and instead of attacking the PLC itself, you attack whoever configures, monitors, and engineers it,” Moshe said. “That’s the idea of taking the PLC and making it the predator, the weapon to attack the engineers themselves. The functionality of it can lead to many attack scenarios."

Moshe also points out in this discussion how engineering workstations can be used as a pivot point into the enterprise network, bypassing security solutions tailored to protect against attacks from outside the firewall. 

“The engineering workstation is the king of the OT network, it has access to most of the assets,” he said. “From a lateral movement point of view, the attacker can infect the engineering workstation and maybe [compromise] other OT assets or use it as a way to jump from the OT network to the IT network.”