A team of researchers from the Georgia Institute of Technology has created malware specifically tailored to exploit modern programmable logic controllers (PLCs), aiming to demonstrate the vulnerability of industrial control systems (ICS) to remote attacks similar to Stuxnet. By detailing their findings in a published paper, they shed light on the potential risks posed by such attacks on critical infrastructure. Traditional PLCs can be targeted through firmware or control logic layers, requiring privileged access to the organization’s industrial network for deployment.
In contrast, modern PLCs, equipped with web servers and accessible through standard web browsers, present an expanded attack surface for potential adversaries. The Georgia Tech researchers caution that while these modern PLCs offer operational benefits, they also introduce heightened security risks to industrial environments. To illustrate these risks, they developed web-based PLC malware capable of disrupting industrial processes or causing machinery damage by exploiting legitimate web APIs.
The newly developed PLC malware, designed to be easily deployable and difficult to detect, leverages service workers for persistence, enabling it to survive firmware updates and hardware replacements. This persistent malware can exploit powerful web APIs to overwrite input/output values, manipulate HMI inputs, and even conduct real-time data exfiltration. Moreover, it can establish command and control connections even within isolated networks, posing significant challenges for detection and mitigation.
Once the malware accomplishes its objectives, it can cover its tracks by self-destructing, overwriting malicious payloads with benign ones, and unregistering service workers. This sophisticated malware underscores the urgent need for enhanced cybersecurity measures to safeguard critical infrastructure from remote attacks on industrial control systems.
