Over the last decade, Programmable Logic Controllers (PLCs) have been increasingly targeted by attackers to obtain control over industrial processes that support critical services. Such targeted attacks typically require detailed knowledge of system-specific attributes, including hardware configurations, adopted protocols, and PLC control-logic, i.e., process comprehension. The consensus from both academics and practitioners suggests stealthy process comprehension obtained from a PLC alone, to execute targeted attacks, is impractical. In contrast, we assert that current PLC programming practices open the door to a new vulnerability class, affording attackers an increased level of process comprehension. To support this, we propose the concept of Process Comprehension at a Distance (PCaaD), as a novel methodological and automatable approach towards the system-agnostic identification of PLC library functions. This leads to the targeted exfiltration of operational data, manipulation of control-logic behavior, and establishment of covert command and control channels through unused memory. We validate PCaaD on widely used PLCs through its practical application.

在过去十年中，可编程逻辑控制器 (PLC) 越来越成为攻击者的目标，以控制支持关键服务的工业流程。这种有针对性的攻击通常需要系统特定属性的详细知识，包括硬件配置、采用的协议和 PLC 控制逻辑，即过程理解。学术界和从业者的共识表明，仅从 PLC 获得的隐秘过程理解来执行有针对性的攻击是不切实际的。相比之下，我们断言当前的 PLC 编程实践为新的漏洞类别打开了大门，为攻击者提供了更高水平的过程理解。为了支持这一点，我们提出了远程过程理解（PCaaD）的概念，作为一种新的方法论和自动化方法，用于 PLC 库函数的系统不可知识别。这会导致有针对性地泄露操作数据、操纵控制逻辑行为以及通过未使用的内存建立隐蔽的命令和控制通道。我们通过其实际应用在广泛使用的 PLC 上验证 PCaaD。