Industrial Control Software Easily Hackable

jfruh writes "CoDeSys, a piece of software running on industrial control systems from hundreds of vendors, has been revealed to be easily hackable by security researchers, giving rise to a scenario where computer hacking could cross the line into the physical world. Worse, many of these systems are unneccessarily connected to the Internet, which is a terrible, terrible idea."

Re:Licensing. It's all about licensing.

The only 1-time internet activation required on Allen Bradley equipment is the computer software (RSLogix 500/5000) to program the PLCs, AB PLCs don't need to be activated ever. (new or old).

As a PLC/PAC guy I am a HUGE fan of Ethernet/IP. It is the best fucking thing ever and people on this thread have no clue about the security of this technology. Try difficult (servos) programing with DeviceNET, Its a fucking joke and a waste of time, old technology. We have to have access to 100's of PLCs on our network to 1 computer for data accusation for the scale weights, which gets emailed to our QA people. Its impracticable any other way.

Steps to make Ethernet/IP secure (Allen Bradley in particular)... reminder I am an AC
1) keep the physical key-switch on the PLC in RUN MODE. No virus/program can write to the PLC when it is in this mode (Excluding global tags/variables, so intelligent programming is required).
2)Firewall, limiting the Ethernet location accessible to the Network we only have 2 ports accessible in our entire plant (outside of the plant floor). Everyone else is denied. And lock those computers down to hardcore.
3) keep it on a separate subnet (more for speed then security)

The only thing that scares me is Remote IO over Ethernet/IP (Flexlogix)... because it takes A FULL MINUTE to acquire/connect an IP address at startup before all the moving objects get set to their default positions. and that's a more safety then security issue.

Re:no need for internet connectivity

[gman003]

My father works in an industry that uses a lot of PLCs and such. This is what he's told me:

Quite often, even though the PLCs run on their own locked-down OS, the console to manage it is just a standard Windows desktop. Kind of logical - it's just to display what's going on, maybe issue manual commands, but it doesn't "run" the system. And they're *designed* to be connected only to the LAN, not have any physical connection to the Internet. But quite often, he comes into an installation site and sees that they've plugged that desktop into the Internet, just because it had a port for it (or so the techs monitoring it 24/7 can relieve the boredom, against all procedure). So they end up connected to the internet just because the off-the-shelf desktop the blinking-lights-display runs on has an Ethernet port.

He's also told me pretty much everyone keeps the default password. Three fucking characters.

Would it terrify you to know that many of the sites he works at are power plants, both coal and nuclear? He doesn't touch the "functional" parts, but it still says bad things about their approach to security.

Re:Just an Iranian terrorist attack

[Opportunist]

Necessity is the mother of invention. That, or an article in the business newspaper your boss reads.

My solution to that problem was simply to subscribe to the same magazines my boss reads, peruse them for articles supporting my case and getting him to read it. Not only will he listen to them more than to you, he'll also think that you read "relevant" magazines and start listening to you, at least from time to time.

I know it's silly. hey, it's management!

Re:Yup

[inasity_rules]

On the other hand when the SI password protects the PLC so another SI can't get in and fix the system(because the first SI is now out of business), now we can get in and do it without re-engineering the whole system. Sometimes low security has benefits.

90% of the security we implement is air gap. Once someone has physical access to the control panel, you've lost anyway, they could start swapping wires and pulling relays if they wanted. If the system must be on a network, we put it on physically separate network, with at most one SCADA PC on both(because the client demanded it). Still, you can set up a nice secure(ish) system, and two weeks later the client's IT department has screwed it up completely.

The major catastrophe you're waiting for is actually surprisingly unlikely. Sure a malicious person could cause a lot of damage, but from what I have seen people are more interested in stealing stuff than blowing it up. Why go to all the effort of destroying the mill on the goldmine when you could go to all the effort of smuggling gold out? They'd rather get on the internet to check their facebook, and once they realise the control PC is not on the internet they don't care anymore.

Re:Enter Kaspersky

[gweihir]

Even if they could do it, very few ICS admins would switch to it. Most people there are responsible for stability as their most important attribute - and that means running a solution that has proven itself over and over and over again. Related to this concern is downtime: often times these plants are running 24x365 schedules, controlling furnaces that keep ovens full of molten iron from freezing solid, which could destroy the oven. Shutting down a production line takes time and planning to prevent damage, and every minute that line is down, they are not making money.

Indeed. What they actually need to do is to really isolate these control systems in the hard sense. I.e. no ports network, data import only manually, data export via CD-R or the like, clear message to employees that connecting any USB media, Laptops, etc. will result in immediate termination, ...

It can be done, even if it may require some people to suffer first, as Iran found out. They did execute the people that imported Stuxnet via USB drive. My guess is they will not have that problem again anytime soon.

When there is a credible threat, they look at addressing the threat on an individual basis. Firewalls between the controller and the LAN. Epoxy in the USB ports. A locking cabinet around the CD-ROM drive. But replacing the core of the factory, on an unproven software package, just "in case" a hacker might target them? Not terribly likely.

This is not enough. Firewalls are insufficient. They need to implement real isolation, i.e. only an isolated net may be used and that has to be very heavily protected. It will take quite some time for them to find out how to do that, although competent IT security people could tell them today. The problem is that they are asking the wrong questions and are looking for IT experts that understand their business, instead of looking for competent IT security folks.