Threat Watch

New ”Evil PLC” Attack Weaponizes Exposed Programmable Logic Controllers

On Saturday researchers at Claroty released a white paper detailing a novel attack Proof of Concept (PoC) leveraging internet-exposed Programmable Logic Controllers (PLCs). Named “Evil PLC,” the attack abuses the inherent trust between engineer workstations and PLCs by loading a malicious payload onto the PLC, convincing an engineer to connect to it via an error code, and tricking the software on the engineer’s workstation into executing the malicious payload. The researchers successfully produced PoCs for seven different companies: Rockwell Automation, Schneider Electric, GE, B&R, XINJE, OVARRO, and Emerson. They also identified nearly 70,000 PLCs that were exposed to the internet at the time of the report.


This attack represents a significant threat to companies with Operational Technology (OT) environments. Attackers could easily pivot from infected engineer workstations to non-internet connected PLCs or into the IT environment. To mitigate the risk, companies should disconnect PLCs from the internet where possible. If remote access is required, VPNs can be leveraged to reduce the attack surface. If not possible, companies can try establishing special engineer workstations that are only allowed to connect to these exposed PLCs, limiting the attack surface to just those devices. The report has more detailed recommendations.

Third party engineers are an especially lucrative target, since once their machine is infected, it can spread to the engineers’ other clients. Third party engineers should discuss with their clients the risk inherent in internet-facing PLCs, and work with them to properly secure access. If removal of internet access is not possible, they can consider reimaging their workstation after working with exposed devices to protect their other clients.