Concept of Virus in PLCs Software


Thread Starter


Is Virus Concept also happen in PLC Software?

And if yes then

What type of Anti-Virus may be used?
If you are that concerned I would just put your ethernet enabled PLCs behind their own firewall.

I've never heard of a PLC being hacked, but I suppose it is possible. Generally speaking you'd have to know a lot about the PLC to hack it.


curt wuollet

As far as I know virii are only a problem on the parts of your system that run on Windows, like the programming software and Windows based HMI and any OPC hosts or clients. Writing a virus in ladder logic would be interesting to say the least. The other languages could potentially provide the means but, virii, by definition, are written to infect large numbers of machines that are somehow connected and PLCs would be a very poor target in that regard. Besides, any 12 yr old can write or find a Windows virus. Very few have access to PLC tools. That is not to say that malware could not be written, but a self propagating virus is very unlikely. Automation systems could be pretty much immune, but instead are severely compromised by the inclusion of Windows in critical paths. It doesn't make any sense to do this, but the practice is fiercely defended and damn the security.


The short answer is yes, a virus could be tailored to specifically attack PLCs and embedded controllers.

A typical generic virus is probably not going to be able to do much damage (denial of service, maybe). The problem is, of course, there could be virus authors out there specifically targeting embedded controls, particularly in utilities.

Figuring out a delivery mechanism to get the virus onto a PC on an isolated control network is the hardest part; without an "inside man" they would have to somehow get the plant operators to download and run a trojan themselves, or hack through multiple layers of networks and firewalls.

How likely is this? IMO, far too much of the industry relies on security through obscurity and physical isolation of control networks, and we are just begging for trouble. Standards are being tightened up through NERC/FERC regulations, but how fast and by how much?

Because of the isolated networks, the most probable vectors for infection are people plugging in laptops into control networks, and unauthorized software on PCs on the network. For the systems I deal with, recent versions are taking the problem seriously (ie detecting and isolating unauthorized devices on switches, limiting user access, shutting down support for USB drives, etc). Older products, however, are largely vulnerable, and I could see a targeted attack succeeding.

The person doing the targeting would need to be familiar with the control system in question, but probably only need minimal skills as a virus author to do a lot of damage.
A virus or worm in the PLC application software itself ? - Very very unlikely. You are at MUCH greater risk of someone hacking your system by deliberately writing malicious code directly in your PLC.

In the Windows based SCADA / HMI? Yes of course. Talk to your HMI supplier but any reputable Firewall and AV software is usually suitable.

While you are unlikely to get a virus on the PLC itself, the HMI and programming tools are at risk and you should be concerned about overall security in your complete control system.

If you are talking about "PLC" as in a conventional PLC running in dedicated hardware, I have never heard of a virus that would run on one. If you are talking about a soft logic system which is software running on a PC, it would be subject to whatever viruses the platform itself is subject to.

Viruses are an MS Windows problem that are almost unknown anywhere else. If you are using MS Windows (any version), you are subject to all the typical security problems with MS Windows. If you are using anything else, it isn't a problem worth worrying about.

The real problem that you would have is when you have a PC using MS Windows on the same network as PLCs or computers which use other operating systems. The computer with MS Windows can get a virus (or worm) and then spew out so much garbage on the network that the other devices can't communicate. This type problem has knocked out control systems in plants (including at least one nuclear reactor in the US).

In practice, what most people seem to do is cross their fingers and pray.
I fully agree with cww. It is a useless debate to talk about virus infection in a PLC. To understand it better, we should first accept the fact that virus is supposed to be a code written in programming language which needs an execution platform of Operating System like Microsoft Windows. If anyone who has knowledge of PLC architecture would accept the fact that OS inside PLC's are basically the firmware code which is a proprietory of PLC manufacturer and cannot be decoded / tempered for writing a virus logic code in ladder or any other low level language. The projects code written in ladder or any such language are compiled and converted into binary code which is executed by the OS designed & developed by the respective PLC manufacturer for respective series of PLC. Virus infection in PLC seems to be an absurd thing an inefficient programmer can try to justify if he is not able to write the logic and has left some logical bugs in the programming.

SITEK Automation ( Advance Training Unit )
Thanks all for detail replies.

Some replies are not so much sweet to read but to gain knowledge rubbish is also some times got notice.

But rubbish attitude rubbish.

Once again Thanks
PLCs and industrial controllers are just computers like any other, and just because it isn't Windows doesn't mean it is safe. In fact, the relatively small size of the market and the assumption of physically isolated networks has led to very lax standards on security issues that the wider software industry could not get away with. For example, the hard-coded password for the root account on some controllers I have used is "password". Seriously. Less obviously, industrial communications protocols are often easily spoofed, and the services on the controller are often not hardened against elementary hacking techniques like buffer overruns.

The isolation of the network had better be good! Unfortunately, I have been to sites where somebody has connected the control network to the plant network, enabled IP forwarding on PCs that are on both networks, installed malware-infested software on operator workstations, and made other similarly boneheaded mistakes.
For a dedicated attack or malware, no, PLCs are not immune and they are not very secure. But we were talking about viruses, which is a much different subject. A PLC with a virus is like the sound of one hand clapping, propagation is extremely unlikely. And because of their insular and diverse nature, even with the trivial security, they are many orders of magnitude less likely to be infected than the parts of your system that depend on the best, most frequent, and most favorable virus host the world has ever known. Very few of the PLCs in a typical factory could even run the same virus binary and one broken link stops propagation. A virus would almost have to be written in machine code and merged into the executive and then, many would detect the change in checksum and simply not boot. As a contrast, anyone can find and many can write, a virus that will run on any and every Windows machine in the plant, of which there may be dozens, if not hundreds. This has been demonstrated over and over. Infection of the Windows herd is quite routine. There's a whole industry set up to mitigate. So they really are at far opposite ends of the spectrum as regards automated infection. That's what makes is so utterly illogical that engineers, people who should know this, routinely build important, if not crucial, systems that are co-dependant o Windows with their PLCs. _And_ they are interconnected. This is a best case for virii. And they are somehow able to rationalize this to other people who should know better. What's wrong with this picture? No one dares to mention that the Emperor is buck naked and they hate you if you do. Feel free to challenge any untruths in this assessment.



If your PLC is isolated (not on a network), then the only feasible avenue for infection is the deliberate insertion of malicious code by someone internally. If a connection exists to some PC, then a virus could exist that communicates information to the PLC.

My experience is with mitsubishi PLCs, and we issue commands to the PLC to read/write information to it's data registers. not sure if the code can be modified, but changing the data can be disastrous.
>Google stuxnet plc virus

Not a true virus.

Someone rewrote standard Siemens PLC function blocks so that they would perform damaging actions, i.e. rapidly cycling speed control output, while showing output and speed to be normal.

To get hacked function blocks into a PLC program, they have to be there from the beginning. Changing a function block for an existing program may flag a change in the program and may require a recompile and a total download.

Depends on the PLC system, but those hacked function blocks cannot propagate themselves into a running program.
>Depends on the PLC system, but those hacked function blocks
>cannot propagate themselves into a running program.

You are probably correct that the reprogrammed blocks will not propagate between PLC's, but a virus on a PC can propagate and reprogram the PLC it is connected to. So unless you use a local keypad and no networking or PC, the device is at risk. Granted, this is not something a bunch of kids is going to do, but there is still a risk from the State sponsored players.

"Stuxnet 0.5 could spread only by infecting Step 7 project files—the files used to program Siemens PLCs. This version, however, could spread via USB flash drives using the Windows Autorun feature or through a victim’s local network using the print-spooler zero-day exploit..."

"The worm consists of a layered attack against three different systems:
The Windows operating system,
Siemens PCS 7, WinCC and STEP7 industrial software applications that run on Windows and
One or more Siemens S7 PLCs."

"PLC infection
The entirety of the Stuxnet code has not yet been disclosed, but its payload targets only those SCADA configurations that meet criteria that it is programmed to identify.[36]

Stuxnet requires specific slave variable-frequency drives (frequency converter drives) to be attached to the targeted Siemens S7-300 system and its associated modules. It only attacks those PLC systems with variable-frequency drives from two specific vendors: Vacon based in Finland and Fararo Paya based in Iran.[61] Furthermore, it monitors the frequency of the attached motors, and only attacks systems that spin between 807 Hz and 1210 Hz. The industrial applications of motors with these parameters are diverse, and may include pumps or gas centrifuges.

Stuxnet installs malware into memory block DB890 of the PLC that monitors the Profibus messaging bus of the system.[52] When certain criteria are met, it periodically modifies the frequency to 1410 Hz and then to 2 Hz and then to 1064 Hz, and thus affects the operation of the connected motors by changing their rotational speed.[61] It also installs a rootkit –- the first such documented case on this platform –- that hides the malware on the system and masks the changes in rotational speed from monitoring systems."

Seem it was a PLC virus that interfered with specific SCADA related memory addresses.