Has been a problem for decades.
This sort of thing has been very common with industrial control software for at least 20 years that I can recall. Downloads of password crackers and cracked versions of (otherwise very expensive) copy protected programming software has been widely known to generally come full of all sorts of malware.
That anybody would fall for this shows if anything the naivety of the targets.
The main reasons for needing password crackers by the way are:
- Someone left the company on bad terms and put a password on some of the PLCs as a parting gift.
- The project engineering department has a "toss the project over the transom" relationship with the maintenance department, and any drawings, passwords, and backups the latter received were not "as built".
- The company bought some used machinery, and anybody who may have known what the password was is long out of the picture.
The above doesn't cover every reason, but it probably covers 99 per cent of cases.
Fortunately, passwords are only very rarely used on PLCs, as there's seldom any point to them. Out of many hundreds of PLCs that I've worked with, I can't recall seeing a password on any of them.
Any access control is usually handled by the fact that you typically need physical access to the PLC, a copy of the programming software, and a knowledge of how to use all of this in order to do anything with it. Some programming software uses access control passwords as part of the software rather than in the PLC itself.
Someone who was really determined to change the program in a PLC and had the physical access to it could just wipe the memory and reload a new copy of the program reconstructed from printouts.