The exploit of the Modicon Quantum PLC, which is made by Schneider Electric, can be carried out in a two-step process. First, anyone with logical access can download the existing ladder logic/program on the PLC, explained Dale Peterson in a blog. Ladder logic is programming language that represents circuits of relay logic hardware on a graphical diagram that appears similar to a ladder; it is used to develop PLC software.
This is a process similar to the one used by the Stuxnet attackers to disrupt the Iranian nuclear fuel enrichment facility at Natanz, explained Peterson.
“The Stuxnet creators had full knowledge of the process at Natanz. They may have had an inside source who gave it to them, but an attacker can also download the existing program from the PLC. It then depends on how much time and process engineering and domain talent they have to modify the ladder logic. Obviously the Stuxnet team had a lot of talent and time…but an attacker could choose a much more blunt instrument approach”, he observed.
“A sophisticated attacker would probably take the downloaded ladder logic from a Quantum PLC, load it in their own copy of Unity and modify it. An attacker who just wanted to make things stop working would just create nonsense or blank ladder logic to make things stop working”, he added.
For the second step, anyone with logical access can upload their own rogue ladder logic/program to the PLC to replace the legitimate program. This step is “identical to the Stuxnet end game in that it loads rogue ladder logic to the PLC”, Peterson said.