WisePlant – A WiseGroup Company
The Evil PLC Attack

What is Evil PLC attack and how to prevent negative consequences on industrial plants

“Protect your industrial plant from Evil PLC attacks – Implement security measures to prevent negative consequences!”


An Evil PLC attack is a malicious attack on a Programmable Logic Controller (PLC) used in industrial plants. It is a type of cyberattack that can cause serious damage to the plant’s operations and safety. The attack can be used to manipulate the PLC’s programming, resulting in the plant’s operations being disrupted or even shut down. The consequences of such an attack can be devastating, ranging from financial losses to physical damage to the plant. Fortunately, there are steps that can be taken to prevent such attacks and minimize their negative consequences.

The authors of the article, which caught my attention can be accessed here, recommended several initiatives. These include implementing strong security measures, such as firewalls and antivirus software, as well as regularly monitoring the PLC’s programming and performance. Additionally, it is important to ensure that all personnel involved in the plant’s operations are properly trained in cybersecurity and aware of the risks associated with Evil PLC attacks.

All these recommended incident-centric initiatives alone are not enough, and more in-depth knowledge and consequence-centric approach need to be implemented.

What is an Evil PLC Attack?

An Evil PLC attack is a type of cyberattack that targets Programmable Logic Controllers (PLCs) in industrial plants, compromising its integrity in a way to provoke damage to the plant instead of the PLC. Specific knowledge of the system and the industrial process at the plant is required.

The use of the Triton malware on the petrochemical Saudi Arabian plant, was an example of this type of attack. The final intention of the hackers was to create a severe consequence on the plant, and not to the safety system (SIS) itself. It is about manipulating the integrity of the device without affecting its availability. If the availability is compromised, the device won’t work.

PLCs are used to control and monitor industrial processes, such as manufacturing, power generation, and water treatment. An Evil PLC attack is a malicious attack that seeks to disrupt or damage the operation of the process, potentially leading to physical damage or disruption of the industrial process.

Are incident-centric recommendations good enough?

Industrial plants are increasingly vulnerable to malicious attacks due to the increasing use of Programmable Logic Controllers (PLCs). PLCs are used to control and monitor industrial processes, and they are connected to the Internet, making them vulnerable to cyber-attacks. This article will discuss the risks of evil PLC attacks and how to mitigate them in industrial plants.

Evil PLC attacks are malicious attacks that target PLCs in industrial plants without being noticed by the owner or end user. These attacks can be used to disrupt operations, steal data, or cause physical damage. The most common type of evil PLC attack is a denial-of-service (DoS) attack, which is used to disrupt operations by flooding the PLC with requests. We don’t see events like the Triton attack on the Saudi Arabian plant very often. Other types of attacks include buffer overflow attacks, which are used to gain access to the PLC, and malicious code injection attacks, which are used to inject malicious code into the PLC.

The risks of evil PLC attacks are significant. These attacks can cause operational disruptions, loss of life, environmental impacts, and physical damage. Operational disruptions can lead to lost production, increased costs, and customer dissatisfaction. Data theft can lead to the loss of confidential information, which can be used for malicious purposes. Physical damage can lead to costly repairs, irreversible damage, and downtime.

The authors of the document provided proof and depicted a step-by-step guide about how to perform this kind of attacks over very popular and well—recognized control systems. Very illustrative!, then recommended several countermeasures.

The threat of malicious attacks on industrial plants is a growing concern for many organizations. As the sophistication of cyber-attacks increases, so too does the need for effective strategies to protect against them. The authors explore the latest strategies for preventing evil PLC (Programmable Logic Controller) attacks in industrial plants.

Incident-Centric Approach: is about preventing the cyber-incident from happening by protecting and securing the PLC. No specific knowledge of the industrial process is being considered.

The first step in preventing evil PLC attacks is to ensure that all PLCs are properly configured and secured. This includes ensuring that all PLCs are running the latest firmware and that all passwords are strong and regularly changed. Additionally, it is important to ensure that all PLCs are isolated from the corporate network and that all communication between the PLCs and the corporate network is encrypted.

The second step is to implement a comprehensive monitoring system. This system should be able to detect any suspicious activity on the PLCs, such as unauthorized access attempts or changes to the PLCs’ configuration. Additionally, the system should be able to detect any attempts to modify the PLCs’ code or to inject malicious code into the PLCs.

The third step is to ensure that all PLCs are regularly tested for vulnerabilities. This can be done by using a vulnerability scanner to identify any potential weaknesses in the PLCs’ code or configuration. Additionally, it is important to regularly review the PLCs’ logs to ensure that any suspicious activity is detected and addressed.

Finally, it is important to ensure that all personnel who have access to the PLCs are properly trained in security best practices. This includes ensuring that all personnel understand the importance of strong passwords and regularly changing them, as well as understanding the risks associated with connecting the PLCs to the corporate network. Additionally, personnel should be trained in recognizing and responding to suspicious activity on the PLCs.

By following these steps, organizations can significantly reduce the risk of evil PLC attacks in their industrial plants. By ensuring that all PLCs are properly configured and secured, implementing a comprehensive monitoring system, regularly testing for vulnerabilities, and training personnel in security best practices, organizations can protect their industrial plants from malicious attacks.

Many concerns remains answered. How much risk is mitigated? It is fully mitigated? Or, do we need to do something else?

The answer is no. There is always a new way in. White-hat and black-hat hackers are very creative, and they will be discovering and creating new ways to get in. Period! This is the Hackers business game!

So, How Can Industrial Plants Protect Themselves?

Industrial plants can protect themselves from Evil PLC attacks by implementing a comprehensive security-by-design strategy.

As recommended by the authors of the report, this will surely include measures such as segmenting the network, using firewalls and intrusion detection systems, and regularly patching and updating PLCs and other industrial control systems.

The consequence-centric approach to mitigate the risk is needed.

By using sound methodologies, any end user who is prioritizing to prevent the consequences, instead of the cyber-incident, should do the following:

First, identify the zones and conduits of the SUC (Systems under Consideration). This is of primary importance for being able to prioritize security countermeasures and actions based on realistic risk scenarios and don’t follow ghosts, or Hollywood like scenarios. Take enough time to understand the systems. Identify and Model Correctly!

Second, perform a High-Level risk assessment to identify all of those PLCs where integrity can lead to an intolerable consequence, assuming the worst case potential consequences if the integrity (The Evil Attack) of those cyber-assets gets compromised. Take enough time to understand the potential consequences associated with the current design. Assess Correctly!

Third, evaluate the industrial cybersecurity risk by using a RAGAGEP compliant methodology, or ISA/IEC-62443-3-2 requirements. Make sure to evaluate Evil Attack scenarios where is makes sense. Identify the security level targets (SLT) for each zone and conduit, and the list of compensatory countermeasures. Take Good Decisions!

Forth, redesign the existing SUC by using sound techniques, such as conceptual design, detailed design and rationalization. Design the Risk Out!

Fifth, implement the result of the three redesign activities as soon as possible. Don’t waste resources, money, and time doing the ineffective wrong things. Mitigate for the Long-Term!

Sixth, The risk is mitigated. Potential consequences should not be able to happen, even though the Evil Attack materializes. Operate Confidently!

Consequence-Centric Approach: is about preventing the consequences of happening by improving the design of the systems and the plant, in a way that, even if the cyber-incident someday materializes, the consequences won’t happen. Specific knowledge of the industrial process is needed.


The Evil PLC attack is a malicious attack on industrial plants that can cause serious damage to the plant’s operations. It is important to take steps to protect industrial plants from this type of attack, such as implementing strong authentication and authorization measures, using secure communication protocols, and regularly patching and updating systems.

Additionally, it is significant to perform a secure-by-desing approach to preventing the consequences of happening even if the cyber-incident someday materializes. The plant is now resilient and tolerant to cyber-incidents. By taking these steps, industrial plants can reduce the risk of an Evil PLC attack and its potential negative consequences.

About the author: Maximillian G. Kon ISA Qualified Instructor Qualified Instructor ISA Groups Member

Get Involved & Participate!

Welcome to WisePlant
Industrial Cybersecurity and Safety Solutions


No comments yet