PLCpwn is a Digital Bond project that Stephen Hilt led and presented at S4x14. It was inspired by the Power Pwn that we had used with a number of clients to help them realize ignoring the physical security perimeter might be a mistake.
PLC’s are ideal places to hide attack code and communication channels. They are computers, that are treated like black boxes. Software and hardware upgrades are rare after deployment. They are the printers of the ICS world from an attacker’s perspective.
The end example is an attacker could send a text message of GO to the PLCpwn, and it would stop the CPU on the ControlLogix it was in and all other ControlLogix on the subnet. Of course with a covert channel to the ICS network and an attack platform on that network an attacker can deploy, modify and launch attack code at any time.
One other interesting note that Stephen mentions — we had the PLCpwn in the ICS Village with the door off. No one commented on it, not the Rockwell Automation attendees, nor any of the many users in attendance who had ControlLogix. It is not a statement on their competence, but more a reality check that even a crude implementation of the PLCpwn like this would go unnoticed.
I’ll have another post up later today on why I had Stephen take on this project.