IIoT Security Risks: Exposing the Threat of PLC Malware

25-03-2024 | By Robin Mitchell

Key Things to Know:

  • IIoT brings unparalleled efficiency and intelligence to industrial systems through predictive maintenance and remote monitoring.
  • Advanced cyber threats, including web-based PLC malware, pose significant risks to IIoT infrastructure, potentially compromising safety systems and causing physical harm.
  • Effective defense strategies extend beyond traditional network segmentation, requiring advanced anomaly detection, rigorous access controls, and secure coding practices for web interfaces.
  • The balance between leveraging IoT technologies for their benefits and ensuring robust security measures is crucial to safeguard industrial environments.

As internet technologies continue to be integrated into industrial environments, cybercriminals are presented with new platforms and attack vectors to cause havoc while turning criminal activities into lucrative sources of income. What advantages has IIoT introduced to industrial systems, why is it under threat from malware, and what can be done against such attacks?

What advantages has IIoT introduced into industrial systems?

The Internet of Things has introduced massive benefits across all industries that it has touched, from commercial spaces being able to intelligently monitor environments and usage to living areas that can now create personalised zones of comfort for occupants. The data gathered from IoT devices has also been massively beneficial in the development of AI, which is leading to all kinds of new technological improvements, including AI doctors, real-time language translators, and vehicles that can drive themselves. 

However, the advantages presented by IoT have also found their way into industrial environments, often referred to as the Industrial Internet of Things (IIoT). The inclusion of internet connectivity into industrial sensors and controllers allows industrial sites to become not only highly efficient but extremely intelligent.

Enhancing Industrial Efficiency with IIoT

One such example of how internet connectivity in industrial sites can be beneficial is in predictive maintenance. Simply put, controllers connected to machinery are able to record key sensor readings (such as vibration and g-forces) and stream these readings to a remote server. Utilising behavioural analysis and AI, this data can be used to identify potential issues with machinery and, if caught early, can enable maintenance crews to perform critical repairs before serious damage is done.

If taken further, machinery that is identified as needing to be repaired can then be placed into specialised ques that automatically plan machinery downtime. This downtime can be carefully controlled so that the entirety of the production line experiences a minimal degree of production loss, whether that is through alternative machine stations, or reducing the production rate of the entire line and reducing the number of consumables purchased.

Having internet connectivity enabled in sensors and controllers also allows engineers to remotely monitor industrial processes without having to be physically present at a site. This means that those who operate industrial sites can seek out expertise from across the globe, as opposed to those who are local to the site. This ability to enable remote work also allows for key engineers to travel and/or go on holiday with a higher degree of freedom, as any major concerns can be addressed remotely.

Internet connectivity in devices also introduces a whole wealth of software advantages, including over-the-air updates, running local webservers as interfaces, and interconnectivity between other devices. For example, instead of requiring dedicated software running on a laptop that is connected to a PLC via a special download cable, such PLCs can either be accessed remotely via a browser or nearby using an everyday mobile device. 

Why is IIoT under threat from malware?

Sadly, just as how the world of IoT introduced a range of cybersecurity issues, the same applies to IIoT, and industrial sites are already starting to see the challenges of poor security. Because industrial controllers have become incredibly advanced (being able to incorporate full operating systems and commonly used software packages), they are becoming extremely tempting targets for cybercriminals looking to launch large-scale cyberattacks.

One emerging threat that exemplifies the sophistication of attacks targeting IIoT systems involves the exploitation of web-based interfaces in Programmable Logic Controllers (PLCs). Researchers from the Georgia Institute of Technology have uncovered a novel attack vector where malware is specifically designed to compromise the web applications hosted by PLCs. This approach allows attackers to manipulate real-world machinery by issuing unauthorised commands through the PLC's legitimate web application interfaces, affecting sensor readings, disabling safety alarms, and even taking control of physical actuators. This method of attack highlights a critical vulnerability in IIoT devices, stemming from their increasing reliance on web technologies for operational convenience and remote management capabilities.

One such temptation that PLCs introduce is the ability to perform Distributed Denial of Service (DDoS) attacks. While an individual PLC will be insufficient to block web traffic to a victim, as industrial sites use hundreds of identical PLCs, it would be trivial for an attacker to take control of all devices and manipulate them. 

Another potential attack, albeit less harmful, is a crypto-mining attack. In this attack, a hacker installs mining software that forces the PLC to try and solve block mining challenges that, if successful, are extremely rewarding. Of course, such mining requires powerful machines to be profitable, but if slave machines are taken over at no cost to the miners, then it is essentially a source of free income.

The Escalating Threat to IIoT Infrastructure

However, one attack that experts are especially worried about is the device itself and the hardware that it is connected to. Demonstrating the potential weakness of modern IIoT devices, a team of researchers from the Georgia Institute of Technology recently demonstrated an attack on PLCs that utilise web servers as their interface. By attacking the devices remotely, the team was able to interfere with the PLCs' IO, including those responsible for controlling actuators, sensor readings, and safety systems, and even executing actions that could result in devastating situations. 

What this essentially means is that once successfully hacked, an attacker can easily compromise safety systems at industrial sites, engage equipment during maintenance, or worse, outright hack hardware to cause direct harm towards staff. Considering the power that industrial machinery has, such an attack could very quickly lead to a loss of life. 

The implications of such web-based PLC malware are profound, as they can bypass traditional security measures by exploiting the inherent trust in web applications used for device management. The malware's ability to remain undetected by residing within the PLC's web application layer and executing malicious actions through standard web browsers used within the industrial network underscores the need for a reevaluation of security strategies in IIoT environments. This type of attack not only poses a direct threat to the physical safety of industrial facilities but also challenges the notion of network segmentation and firewall protections as sufficient defenses against IIoT-targeted cyber threats.

What can be done against such attacks?

Thankfully, when it comes to mitigating such attacks, there are numerous options available to industrial personnel and network admins. 

The first and probably most important option is to create virtual LANs that are separated from other systems. Simply put, PLCs and other industrial systems should be on a specific network that has extremely strict firewall rules. By doing this, other devices on the same local network (but not the same virtual LAN) are unable to access those devices.  

Secondly, the use of VLANs should also be coupled with a firewall with strict controls. Incoming connections to the facility should be outright blocked, while connections between VLANs should be logged and carefully monitored for suspicious activity. 

Thirdly, PLCs and other controllers should always have their software updated, but these updates should not be done via OTA updates through the internet, but instead, controlled from a central admin location. By doing this, not only are devices insulated from updates that may contain malware, but prevents man-in-the-middle attacks during OTA updates. 

Fourthly, if not required, PLCs should have their webservers disabled if they no longer require remote configuration. For safety-critical applications, it may be preferable to use PLCs that do not have internet capabilities, ensuring that proven software cannot be easily overridden. 

Balancing Security with Technological Advancements

There are numerous ways to defend devices from attacks, with the options listed here being just a few. Ideally, devices should have all internet traffic limited to the absolute bare minimum and, if possible, outright disabled. But doing so would see the numerous benefits presented by IoT technologies being lost, thereby eliminating the whole point of internet-enabled systems. 

In light of these advanced threats, it is imperative for IIoT systems to adopt more robust security frameworks that go beyond traditional network segmentation and firewall defenses. The integration of advanced anomaly detection systems, rigorous access controls, and regular security audits of web applications associated with IIoT devices can provide a more comprehensive defense mechanism. Additionally, the adoption of secure coding practices for the development of web interfaces in PLCs and other IIoT devices is crucial to mitigate the risks posed by web-based malware attacks. Ensuring that these devices are equipped with the latest security patches and are configured to minimise exposure to potential web-based exploits is essential for safeguarding industrial systems against the evolving landscape of cyber threats.

Fundamentally, it comes down to a question of how safe something needs to be and what is the worst-case scenario should a madman get their hands on the device. 


By Robin Mitchell

Robin Mitchell is an electronic engineer who has been involved in electronics since the age of 13. After completing a BEng at the University of Warwick, Robin moved into the field of online content creation, developing articles, news pieces, and projects aimed at professionals and makers alike. Currently, Robin runs a small electronics business, MitchElectronics, which produces educational kits and resources.