There has been talk about hackers counterfeiting modules such as PLC
processor modules which contain rogue firmware but look and act like the
real thing.

Has anyone run into any situation which supports this?? Appreciated thank
you

Cheers from: Jeremy Pollard, CET The Caring Canuckian!
Crisis, necessity, change

Integrator, Educator, Consulting, Columnist – Control Design

 

It isn't impossible to load rogue firmware in to a PLC, but I have not heard of any places where this has been done successfully.

The reason why it probably hasn't happened yet is because it would require intimate knowledge of both the PLC and the processes it controls. It would require strong motivation to do significant harm.

The closest that I have heard of is the Triton/Trisis/Hatman attack against a middle eastern company. However in that case they were only attempting to insert additional application code, not the firmware itself.

So I'd have to conclude that it requires enough surveillance and knowledge that it is likely other methods would be used first.

 

What you're describing is called a supply chain attack, and is a grave concern across the industrial controls industry.

Probably the best known example is Stuxnet, where PLCs were apparently tampered with before even making it to Iran.

Counterfeit devices are possible, especially for individual components. Fake or relabeled parts can be difficult to detect, which leads big companies that care about their reputation to stick with known, vetted suppliers even at a higher cost. Most of these counterfeits are just trying to squeeze more money out of the rock rather than being malicious. However, part substitutions like this can lead to vulnerabilities and early failures.

Counterfeiting the whole PLC, well, I've seen it done--entire board layouts copied by Chinese manufacturers right down to the contents of EPROM memory. It would be tougher to do today--copying a 32-layer PCB is a bit harder than the old two-layer boards. Again, they are doing it for profit, but nothing saying they couldn't have inserted some malicious code, similar to the Trans-Siberian pipeline incident in '82.