Listen to this Post

🔗 ICS Arabia Podcast Episode 49
Mike Holcomb, founder of BSides ICS/OT, discusses his SANS master’s thesis on PLC security, covering:
– PLC operation modes & myths
– Research methodology & lab setup
– Findings on Click Plus & Micro820 PLCs
– Custom monitoring web app
– Future work & virtual hardware advice
You Should Know:
1. Testing PLC Security in a Lab
Use Virtual PLCs (OpenPLC, Codesys) or real hardware with Raspberry Pi as a Modbus gateway:
Install OpenPLC on Linux git clone https://github.com/thiagoralves/OpenPLC_v3.git cd OpenPLC_v3 ./install.sh
2. PLC Enumeration & Exploitation
Use Nmap to scan for open PLC ports (502 for Modbus):
nmap -p 502 --script modbus-discover.nse <target_IP>
3. PLC Firmware Analysis
Extract firmware using Binwalk:
binwalk -e firmware.bin
4. Detecting Remote Mode Exploits
Check for CVE-2022-29968 (Allen-Bradley) using Metasploit:
msfconsole use auxiliary/scanner/scada/modbus_findunitid set RHOSTS <PLC_IP> run
5. Custom Web App for PLC Monitoring
Use Python + Flask for real-time PLC data logging:
from pyModbusTCP.client import ModbusClient
c = ModbusClient(host="PLC_IP", port=502)
if c.read_holding_registers(0, 10):
print("PLC Data:", c.read_holding_registers(0, 10))
6. ICS/OT Hardening
Disable remote programming mode via PLC config:
For Siemens S7 PLCs python3 s7scan.py --disable-remote <PLC_IP>
What Undercode Say:
PLC remote modes are a critical attack surface—many devices default to insecure configurations. Always:
– Segment ICS networks (OT VLANs)
– Monitor Modbus/TCP traffic (Wireshark filters)
– Patch PLC firmware (Vendor advisories)
– Use ICS-aware SIEMs (e.g., Dragos, Nozomi)
Expected Output:
1. Nmap scan detects Modbus port 502 open. 2. Binwalk extracts PLC firmware for analysis. 3. Metasploit module confirms CVE-2022-29968 vulnerability. 4. Custom Python script logs PLC register data.
Prediction:
PLC attacks will rise as ransomware groups (e.g., LockBit 3.0) target OT networks. Expect AI-driven PLC fuzzing tools in 2024.
🔗 Further Reading:
References:
Reported By: Alhasawi Is – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


