Over the last decade, Programmable Logic Controllers (PLCs) have been
increasingly targeted by attackers to obtain control over industrial processes
that support critical services. Such targeted attacks typically require
detailed knowledge of system-specific attributes, including hardware
configurations, adopted protocols, and PLC control-logic, i.e. process
comprehension. The consensus from both academics and practitioners suggests
stealthy process comprehension obtained from a PLC alone, to conduct targeted
attacks, is impractical. In contrast, we assert that current PLC programming
practices open the door to a new vulnerability class based on control-logic
constructs. To support this, we propose the concept of Process Comprehension at
a Distance (PCaaD), as a novel methodological and automatable approach for
system-agnostic exploitation of PLC library functions, leading to the targeted
exfiltration of operational data, manipulation of control-logic behavior, and
establishment of covert command and control channels through unused memory. We
validate PCaaD on widely used PLCs, by identification of practical attacks.

By admin