Master PLC Spoofing

Chuck Hoyt

Member
C
Join Date
Jul 2005
Location
Bakersfield, CA
Posts
28
Hello all, I am NOT a PLC programmer (I am a wireless communications company) however, we work with plenty of them and I have a question regarding security. We have a water agency that is experiencing an attack on their system. They use Allen Bradley PLCs and use a licensed frequency MAS radio system. Someone is spoofing the master PLC and messing with the system. Does anyone know if there is any way to encrypt the serial data at each PLC? The serial radios are not able to perform any encryption. This is not a serial to Ethernet system, strictly serial RS232. Thanks for any suggestions!
Chuck
 
Do you have data traces that indicate spoofing? Or are you just guessing? I'm actually incredulous unless it's an inside job. These transmissions are not ASCII-based and it would take a real good programmer to figure out the protocol and then emulate it.
 
What is the nature of the attack?

Are they reprogramming the master PLC, or the slave PLCs?
Are they just manipulating data?
Are they pretending to be one of the slaves?
Are you SURE its an attacker? There might be a bad node address in the system.

Can you give us some details? If we know what the attacker is doing, we might be able to find a way to cut him off.

AK
 
Yes, they believe it is an inside job. (and you would think they could figure out who the disgruntled employee or ex-employee is, I mean, how many people would have access to that much system info, right?) Someone with all the PLC adresses, proper programming, software, radios etc. With licensed radios, it is possible to basically insert yourself in front of the master, overpower it with approx. 20dB more signal strength and take over operations. They haven't gotten into a lot of details and they are not looking to us to solve the problem, other than to help advise them on the radio side, but since wireless SCADA is what we do, I wanted to see if anything existed within the PLC community that you could do from a programming standpoint or a hardware solution to help prevent this type of event. From what I understand, with the proper equipment, anyone can intercept and sniff the serial data over the air, true, it would be trash to anyone but those who know what they are looking at, and only one who can decipher such data would do such a thing. Thanks for the response!
Chuck
 
I would first call the FCC and find out if they can help you catch this person. You did say the network is on a licensed frequency.

I would reconfigure the serial communications. I would change the baud rate, parity, stop bits. I would then change the address in all the remote PLCs and update the master PLC.

Then I would start looking into some Frequency Hopping Spread Spectrum modems.
 
I agree, Ethernet would help with the problem, in fact, we provide several flavors of Ethernet radios from 246Kbps to 150Mb radios, however, the problem is, the licensed serial radios are 5 watt radios versus 1 watt or lower for the Ethernet radios. They really need the power because of the terrain. Thanks!
 
Chuck,

I thank you for pointing out this prime reason for not using wireless systems.
 
Those are excellent suggestions! They will probably work for awhile until he sees junk when he fires up his protocol analyzer. One he gets the "framing error" message he'll know to play with those settings. As far as the PLC addresses, are those not included in the transmission and therefore can be sniffed out. As per FCC, your 900MHz spread spectrum radios are limited to 1 watt and therefore cannot reach as far as a 5 watt licensed radio. I'll pass along those suggestions about the baud rate etc! Thanks!
Chuck
 
Chuck,

Exactly what distance are you talking about, and what type of terrain?

It's complicated but maybe you could add a rolling code to the plc programs that the serial data would be filtered thru. Each packet would contain a word in the data stream that would contain a value that would verify the data is from a ligit source. And would also provide the decoding key for that packet. The "verification value" would rotate by extracting it from a number of predetermined memory data table locations in various orders. The intruder would be spending more time then it's worth trying to figure out the scheme that he/she would likely give it up.
 
Hey, hey!

Check this out:

http://www.dcbnet.com/datasheet/se6600ds.html

It might be just what you're looking for. It's a hardware encryption solution for serial connections. Here's a quote from their site.

"The SE-6600 may be used point-to-point, linking two separate remote sites with radios, leased lines or dial connections, one port used for the connection, the other port for the user equipment. The SE-6600 can also be used on point-to-multipoint links. The SE-6600 is especially attractive for use over multipoint radios where high security is desired."
 
Technically not enough information was provided.

Personally I would be amazed if someone, (ex)employee or not, that could/would do this. Think about what would be needed, this definitely "limits" the field. I reckon someone is sitting in their car, down the road, with all that just so they can disrupt production for a few minutes!

Another thought: Has anyone checked for "crosstalk"?
As Jay mentioned are data traces being done?

I bet its more of a problem with some aspect of the system and the newest technology (the radios) are getting the blame.
 
Tark said:
I would first call the FCC and find out if they can help you catch this person. You did say the network is on a licensed frequency.
Click to expand...

We had to catch our own "jammers" when I was heavily involved in public safety communications.

The famous "white vans" of olden days, are mostly a fond memory now.

I hear of the FCC actually nailing someone occasionally in the big cities, usually with a lot of help from hams and licensed techs.

If you have TV interference from someone, maybe your states attorney can help.

If you try explaining PLC interference to a local field office, good luck.

As far as 20db signal increase, if the plcs are tied into a low powered modem unit, then a nearby 5 watt portable, or a cheap 25 watt mobile nearby could easily do some damage. Now that radios are easily programmed, anybody could get one.

Does this happen during a particular shift? Is there any pattern?

Could it possibly be a strange intermod mix, or a spur from some local transmitter, repeater, or broadcast station?

regards.....casey

PG-18-34290
Central Illinois Radio Interference Committee Liason
 

Similar Topics

W
Modbus - Redundant Master (Redundant PLC)
Hi guys, Just wondering if anyone has tackled an issue similar to this before: creating a redundant master on Modbus so I can have a redundant...
Replies
2
Views
429
Steve Bailey
Steve Bailey
A
Melsec CC-Link IE TSN master does not transfer process data to PLC
Hello parky, goghie, Brian and all of you who kindly come to help when I get stuck. I cannot look into the clock issue that parki has written for...
Replies
5
Views
844
AlfredoQuintero
A
ceilingwalker
GuardMaster PLC question and......
Hello all. I am purchasing a CompactLogix to use as a server which will host 4 other PLC's (2 ControLogix, 2 Beckhoff) and a Fanuc RC. The current...
Replies
5
Views
913
ceilingwalker
ceilingwalker
P
Communiate ABB CI840 IO master with Rockwell 1756-L75 PLC
Hi Guys, Here I have started to work on some difficult task, I hope I will get solution here. we have ABB CI-840 Master IO Module needs to be...
Replies
0
Views
598
prakasha
P
P
Communicate ABB CI 840 IO Master with Allen Bradley 1756 - L75 PLC
Hi Guys, Here I have Started to work on some difficult task I hope I will get some solution here. I wanted to communicate ABB CI 840 IO Master...
Replies
2
Views
888
prakasha
P
Back
Top Bottom