Is PLC Remote Mode Secure? Mike Holcomb Breaks It Down

Listen to this Post

Featured Image
🔗 ICS Arabia Podcast Episode 49

Mike Holcomb, founder of BSides ICS/OT, discusses his SANS master’s thesis on PLC security, covering:
– PLC operation modes & myths
– Research methodology & lab setup
– Findings on Click Plus & Micro820 PLCs
– Custom monitoring web app
– Future work & virtual hardware advice

You Should Know:

1. Testing PLC Security in a Lab

Use Virtual PLCs (OpenPLC, Codesys) or real hardware with Raspberry Pi as a Modbus gateway:

 Install OpenPLC on Linux 
git clone https://github.com/thiagoralves/OpenPLC_v3.git 
cd OpenPLC_v3 
./install.sh 

2. PLC Enumeration & Exploitation

Use Nmap to scan for open PLC ports (502 for Modbus):

nmap -p 502 --script modbus-discover.nse <target_IP> 

3. PLC Firmware Analysis

Extract firmware using Binwalk:

binwalk -e firmware.bin 

4. Detecting Remote Mode Exploits

Check for CVE-2022-29968 (Allen-Bradley) using Metasploit:

msfconsole 
use auxiliary/scanner/scada/modbus_findunitid 
set RHOSTS <PLC_IP> 
run 

5. Custom Web App for PLC Monitoring

Use Python + Flask for real-time PLC data logging:

from pyModbusTCP.client import ModbusClient 
c = ModbusClient(host="PLC_IP", port=502) 
if c.read_holding_registers(0, 10): 
print("PLC Data:", c.read_holding_registers(0, 10)) 

6. ICS/OT Hardening

Disable remote programming mode via PLC config:

 For Siemens S7 PLCs 
python3 s7scan.py --disable-remote <PLC_IP> 

What Undercode Say:

PLC remote modes are a critical attack surface—many devices default to insecure configurations. Always:
– Segment ICS networks (OT VLANs)
– Monitor Modbus/TCP traffic (Wireshark filters)
– Patch PLC firmware (Vendor advisories)
– Use ICS-aware SIEMs (e.g., Dragos, Nozomi)

Expected Output:

1. Nmap scan detects Modbus port 502 open. 
2. Binwalk extracts PLC firmware for analysis. 
3. Metasploit module confirms CVE-2022-29968 vulnerability. 
4. Custom Python script logs PLC register data. 

Prediction:

PLC attacks will rise as ransomware groups (e.g., LockBit 3.0) target OT networks. Expect AI-driven PLC fuzzing tools in 2024.

🔗 Further Reading:

References:

Reported By: Alhasawi Is – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram