Exfiltrating Reconnaissance Data from Air-Gapped ICS/SCADA Networks By Injecting Ladder Logic Code into PLCs

July 30, 2019 0

Presented first at SecurityWeek’s 2017 ICS Cyber Security Conference, this presentation explains how to inject specially-crafted ladder logic code into a Siemens S7-1200 PLC. The code uses memory copy operations to generate frequency-modulated RF signals slightly below the AM band (340kHz-420kHz), with the modulation representing encoded reconnaissance data. The signal can then be picked up by a nearby antenna and decoded using a low-cost Software-Defined Radio (SDR) and a PC. The receiving equipment can be located just outside the facility or even mounted on a drone flying overhead.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.