{
	"id": "1382c923-ebbc-46ca-a16e-f223ee10ecf9",
	"created_at": "2026-04-06T00:11:52.709958Z",
	"updated_at": "2026-04-10T03:21:13.664135Z",
	"deleted_at": null,
	"sha1_hash": "c92d949ba5840274f6d2c3f0e22442237c2687a1",
	"title": "PLC Worms Can Pose Serious Threat to Industrial Networks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 173860,
	"plain_text": "PLC Worms Can Pose Serious Threat to Industrial Networks\r\nBy Eduard Kovacs\r\nPublished: 2016-05-09 · Archived: 2026-04-02 12:03:52 UTC\r\nResearchers have created an experimental worm that is capable of spreading from one programmable logic\r\ncontroller (PLC) to another without needing a PC or a server.\r\nThe worm, detailed at the recent Black Hat Asia conference by researchers from OpenSource Security, is dubbed\r\n“PLC-Blaster” and it’s designed to target Siemens SIMATIC S7-1200v3 controllers.\r\nBuilding on previous research showing that a piece of malware can run on a PLC, experts used the Structured Text\r\n(ST) language to develop a worm that leverages the PLC’s communication features to spread from one device to\r\nanother.\r\nPLC-Blaster was written like a regular worm, but with some constraints that are specific to PLCs. Experts believe\r\nthat the most likely infection vector involves distribution of the worm by an industrial component supplier, or\r\ninfection of the device during transport.\r\nOnce an infected Siemens SIMATIC device is installed on a network, the worm starts scanning TCP port 102 for\r\nother similar systems. If the identified PLC is not already infected, the worm stops it for roughly 10 seconds,\r\ntransfers its code to the target, and starts it again. This process is then repeated for every possible target.\r\nAccording to researchers, their worm replicates itself on the targeted PLC by mimicking the Siemens TIA-Portal.\r\nThe malware leverages a vulnerability in SIMATIC S7-1200 CPUs that Siemens patched with the release of\r\nversion 4.\r\nAdvertisement. Scroll to continue reading.\r\nhttps://www.securityweek.com/plc-worms-can-pose-serious-threat-industrial-networks/\r\nPage 1 of 3\n\nResearchers also implemented some malicious functionality to demonstrate the impact of PLC-Blaster. The\r\nmalware can contact a command and control (C\u0026C) server, it can act as a Socks4 proxy, it can cause a denial-of-service (DoS) condition on the infected PLC, and it can manipulate outputs.\r\nOpenSource Security researchers noted that the worm can be detected based on the 10-second interruptions caused\r\nto the PLC during infection or the unusual network traffic generated by the threat. Since it’s stored on the PLC, the\r\nmalware is persistent across a restart of the device, but it does get removed after a factory reset or if the\r\norganization block (OB) it’s stored in is overwritten.\r\nRelated: Registration for 2016 ICS Cyber Security Conference Now Open\r\n“Attacking industrial systems by means of malware or worms is not a new technique. This form of attack has been\r\ndemonstrated previously in other research projects such as Rockwell and Stuxnet, although the PLC worm is the\r\nfirst of its kind to be utilised without a large budget behind it,” Jalal Bouhdada, founder and principal ICS security\r\nconsultant at Applied Risk, told SecurityWeek. “This worm demonstrates that both hackers and the security\r\ncommunity is now increasingly focussed on industrial control systems and its associated vulnerabilities.”\r\nPLC worms in the wild and other implications\r\nBouhdada believes these types of PLC worms will likely be seen in the wild.\r\n“It is just matter of time until we see the first worm in the wild exploiting these vulnerabilities,” the expert said.\r\n“Hacking industrial systems was previously reserved for the few with access to very expensive equipment, and\r\nwhile the PLC worm targets OT directly, IT systems remain the main point of access for any potential breach due\r\nto their compatibility with existing malware packages.”\r\nhttps://www.securityweek.com/plc-worms-can-pose-serious-threat-industrial-networks/\r\nPage 2 of 3\n\nMartin Jartelius, CSO of vulnerability management company Outpost24, pointed out that there are other aspects\r\nthat need to be taken into consideration.\r\n“The research is interesting and of course fascinating. It should however be noted that most of the time RCE\r\n(Remote Code Execution) vulnerabilities in network-exposed services always give an opening for a worm, but the\r\nuse of those is today more rare. It is noisy, your operations will be detected, and the portscanner component very\r\nquickly draws attention to the infected devices, leading to cleanups. It is simply not a good investment of time and\r\neffort from most attackers’ perspective,” Jartelius said via email.\r\n“Propagation on the local network however makes more sense, i.e. if one device is Internet-exposed, other similar\r\ndevices on the internal networks can be breached via the first. In essence, the code has justification from an\r\nattacker perspective, but if we see it used properly, it is not in the worm format,” he added.\r\n“We will see worms every now and then of course – kids will be kids – but the remote installation and\r\ncommand/control component is more serious than the potential of creating a worm,” the expert noted.\r\nMitigating the threat\r\n“In order to minimise the damage that can be caused by malware such as the PLC worm, organisations must\r\nsolidify the security of their supply chains, ensure their industrial assets are identified and undertake embedded\r\nsecurity assessments,” Bouhdada explained. “The PLC worm is a strong signal to industry that critical\r\ninfrastructure requires significant protection, with suppliers and asset owners working closely together to ensure\r\nthe safe and reliable operation of these environments.”\r\nJartelius advises organizations to protect their systems against such threats by following the recommendations\r\nfrom the Center for Internet Security’s Critical Security Controls (CSC). These include inventorying devices and\r\nsoftware, ensuring that both hardware and software systems have secure configurations, controlled use of\r\nadministrative privileges, and continuous vulnerability assessment and remediation.\r\nRelated: Concerns Raised Over Malware in German Nuclear Plant\r\nSource: https://www.securityweek.com/plc-worms-can-pose-serious-threat-industrial-networks/\r\nhttps://www.securityweek.com/plc-worms-can-pose-serious-threat-industrial-networks/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.securityweek.com/plc-worms-can-pose-serious-threat-industrial-networks/"
	],
	"report_names": [
		"plc-worms-can-pose-serious-threat-industrial-networks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434312,
	"ts_updated_at": 1775791273,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c92d949ba5840274f6d2c3f0e22442237c2687a1.pdf",
		"text": "https://archive.orkl.eu/c92d949ba5840274f6d2c3f0e22442237c2687a1.txt",
		"img": "https://archive.orkl.eu/c92d949ba5840274f6d2c3f0e22442237c2687a1.jpg"
	}
}