To more clearly illustrate the behavior of the injected code, we’ve outlined the key events that would occur with an infected 315-2 CPU connected to multiple CP 342-5 modules each with 31 frequency converter drive slaves, as shown in the diagram below.
The PLC is infected.•
Frequency converter slaves • send records to their CP-342-5 master, building a frame of 31 records The CPU records the CP-342-5 addresses.
The frames are examined and the fields are recorded.•
After approximately 13 days, enough events have been recorded, showing the system has been operating • between 807 Hz and 1210 Hz.
The infected PLC generates and sends sequence 1 to its frequency converter drives, setting the frequency to • 1410Hz.
Normal operation resumes.•
After approximately 27 days, enough events have been recorded.•
The infected PLC generates and sends sequence 2 to its frequency converter drives, setting the frequency • initially to 2Hz and then 1064Hz.
Normal operation resumes.•
After approximately 27 days, enough events have been recorded.•
The infected PLC generates and sends sequence 1 to its frequency converter drives, setting the frequency to • 1410Hz.
Normal operation resumes.•
After approximately 27 days, enough events have been recorded.•
The infected PLC generates and sends sequence 2 to its frequency converter drives, setting the frequency • initially to 2Hz and then 1064Hz.#
Bookmarks