This attack represents a significant threat to companies with Operational Technology (OT) environments. Attackers could easily pivot from infected engineer workstations to non-internet connected PLCs or into the IT environment. To mitigate the risk, companies should disconnect PLCs from the internet where possible. If remote access is required, VPNs can be leveraged to reduce the attack surface. If not possible, companies can try establishing special engineer workstations that are only allowed to connect to these exposed PLCs, limiting the attack surface to just those devices. The report has more detailed recommendations.

Third party engineers are an especially lucrative target, since once their machine is infected, it can spread to the engineers’ other clients. Third party engineers should discuss with their clients the risk inherent in internet-facing PLCs, and work with them to properly secure access. If removal of internet access is not possible, they can consider reimaging their workstation after working with exposed devices to protect their other clients.

https://claroty.com/team82/blog/evil-plc-attack-using-a-controller-as-predator-rather-than-prey