{
	"id": "d5904f02-3ceb-4954-b7c3-626708054fe1",
	"created_at": "2026-04-06T00:07:19.229057Z",
	"updated_at": "2026-04-10T03:20:34.38678Z",
	"deleted_at": null,
	"sha1_hash": "073b1f843b5a5d8eab431120ff678209f0253f9e",
	"title": "PLC-Blaster Worm Targets Industrial Control Systems",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 36622,
	"plain_text": "PLC-Blaster Worm Targets Industrial Control Systems\r\nBy Tom Spring\r\nPublished: 2016-08-05 · Archived: 2026-04-05 17:18:03 UTC\r\nResearchers create a self-propagating worm that can infect a Siemens’ PLC and can be programmed to bring an\r\nindustrial control platform to its knees.\r\nLAS VEGAS – Security researchers at Black Hat USA described a proof-of-concept worm that targets weaknesses\r\nwithin automated industrial control systems used to manage critical infrastructure and manufacturing. The worm,\r\naccording to OpenSource Security, has the capability to autonomously search for and spread between networked\r\nprogrammable logic controllers (PLCs).\r\nPLC-Blaster was designed to target Siemens SIMATIC S7-1200 PLCs. Siemens is Europe’s biggest engineering\r\ncompany and a PLC market share leader. Siemens said in March shortly after the worm was unveiled at Black Hat\r\nAsia that the malware was not exploiting a vulnerability in Siemens gear. Maik Brüggemann, software developer\r\nand security engineer at OpenSource Security, said that worms like this one are a threat to any industrial network.\r\n“These are new threats to industrial control companies that have traditionally been well protected against attacks\r\nfrom the outside,” Brüggemann said. “It’s not unimaginable a PLC worm could be distributed by a component\r\nsupplier or internally. It’s not just Siemens that should be concerned. Worms represents a new threat to any\r\nindustrial network.”\r\nOn Thursday at Black Hat USA, Brüggemann showed how an attacker with physical or network access to a PLC\r\ncan manage to introduce the malware to the network and launch an attack. The worm can be programmed to carry\r\nout a number of different attacks. Or the infected PLCs can be programmed to automatically contact an attacker’s\r\ncommand-and-control server and be remotely controlled – assuming the PLCs is connected to the public Internet.\r\nAttack scenarios include shutting off or tampering with volatile critical infrastructure components.\r\nThe worm’s success is tied to PLC design flaws by Siemens that leave the PLC platform open to attack via the\r\nPLC’s management console called TIA Portal, the researchers assert. The first two have to do with computer code\r\nused to manage PLC access passwords, and serial numbers called Knowhow Protection and Copy Protection. The\r\nfeatures are missing integrity safeguards that allow an attacker to read, write and modify blocks of code pertaining\r\nto hashed passwords and serial numbers. Doing so cracks open a window for an attacker to bypass TIA Portal\r\nsoftware protections in order to upload PLC-Blaster inside the environment.\r\n“The built-in Knowhow protection forbids modifications of the user program on the PLC and prevents the\r\nextraction of the user program from the PLC. But we were able to figure out how to extract the user program,\r\ndisplay the source code, modify it and reinstall the program,” Brüggemann said.\r\nWith its defenses down, the malware can be uploaded to the PLC where it can wind its way through the network\r\ninfecting others.\r\nhttps://threatpost.com/plc-blaster-worm-targets-industrial-control-systems/119696/\r\nPage 1 of 2\n\nThe one caveat to the above scenario, Brüggemann said, is a Siemens Access Protection option that limits the\r\nfeatures of the protocol that is used to transfer software, or in this case the worm, to a PLC. The feature requires\r\nusers to enter another password before uploading new software. “We found no security flaw in this protection. But\r\nthe problem is this protection is off by default. If it is enabled, the worm needs to know the password and that’s\r\nusually not the case,” Brüggemann said.\r\nBrüggemann said what needs to change is the TIA Portal password protection for uploading new software needs to\r\nbe on by default so users are prompted for a password.\r\nWhen OpenSource Security took its findings to Siemens, the researchers were told there were no flaws in its PLC\r\nplatforms using its SIMATIC S7-1200 PLC. “We were told these were not vulnerabilities and that everything\r\nworked as expected,” Brüggemann said.\r\nWhen Threatpost reached out to Siemens for comment it reiterated it didn’t view OpenSource Security’s research\r\nas conclusive evidence its SIMATIC S7-1200 PLCs were vulnerable. “The demonstration at Black Hat uses a\r\nprototype worm spread via modification of the user program of unprotected SIMATIC S7-1200 v3 PLCs\r\n(unprotected means: with disabled PLC-function access protection and without following Operational\r\nGuidelines),” the company said in a statement.\r\nSiemens said its operational guidelines recommend enabling the Access Protection feature. However, Siemens in\r\nMarch did issue a security advisory (PDF) warning flaws “could possibly allow an attacker to circumvent user\r\nprogram block protections” in its SIMATIC S7-1200 PLCs.\r\n“With respect to the additional issues reported, which are unrelated to the prototype worm, these were resolved\r\n(CVE-2016-2846) and communicated with acknowledgement and thanks to Maik Brüggemann and Ralf\r\nSpenneberg,” the company said in an email interview.\r\nBrüggemann maintains the Access Protection configuration setting needs to be easier to find and that it also needs\r\nto be on by default to be safe.\r\n“These are not Siemens-specific problems. All these industrial control companies have been doing things the same\r\nway for the past 30 years. They need to develop new attitudes toward security to make devices secure,”\r\nBrüggemann said.\r\nSource: https://threatpost.com/plc-blaster-worm-targets-industrial-control-systems/119696/\r\nhttps://threatpost.com/plc-blaster-worm-targets-industrial-control-systems/119696/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://threatpost.com/plc-blaster-worm-targets-industrial-control-systems/119696/"
	],
	"report_names": [
		"119696"
	],
	"threat_actors": [],
	"ts_created_at": 1775434039,
	"ts_updated_at": 1775791234,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/073b1f843b5a5d8eab431120ff678209f0253f9e.pdf",
		"text": "https://archive.orkl.eu/073b1f843b5a5d8eab431120ff678209f0253f9e.txt",
		"img": "https://archive.orkl.eu/073b1f843b5a5d8eab431120ff678209f0253f9e.jpg"
	}
}