Exploiting Omron's NEX PLC Runtime And Protocol

While investigating CHERNOVITE capabilities, the Dragos team identified several vulnerabilities in Omron's NX and NJ series PLCs and the Symac Studio PLC programming software.

Logan describes the newly discovered protocol commands and a runtime debugger found on the PLC. This protocol has over 170 commands, 130 of which are undisclosed (CHENOVITE only abused 40 commands).

Logan also discusses vulnerabilities found in this protocol and offer a few POCs we developed to highlight the potential impact on Industrial Control Systems (ICS). He finishes by presenting a demonstration of manipulating logic without ever changing the PLCs run mode, all by abusing undocumented/undisclosed protocol commands. The techniques and commands for all POCs presented are unique to this presentation and are currently unknown to the public.