PLC Virus

Okay, I have to ask.......anyone heard of any virus, worm, mal-ware of any sort that propagates over a control network (primarily Ethernet) and targets PLC processors/memory? With the exponential progression of Ethernet into control systems, I have to ask. I have not heard of any.

Greg

SHHHH...None that I'm aware of, yet....let's hope it stays that way....
David

Don't scare us.
steve

I dobut it. PLCs are too simple & varied, wich in turn makes them more diffuclut to infect, not disregarding the investment in hardware and know how etc..

You could infect a PC based HMI computer and alter data in the PLC that way.


I think it would be difficult if not impossible to propagate a virus written for the PLC itself.

Viruses are one of the things that scare me away from soft PLCs. The stability of Windows is another one. It comes down to the same thing: Windows is the most spread virus after all .

Kind regards,

Lets not give anyone any ideas.

I never heard about this but getting this question at least once a week.
Rockwell's response for ControlLogix platform something like this:
Virus can attack ENBT module, but to get to the processor it must travel over a backplane.
Because backplane supports only CIP communications, virus will not be able to attack processor or I/O modules directly.
Backplane acts as a firewall.

I think it is almost unlikely that someone will write CIP compatible virus.

just give it time

with the ever growing memory size and functionality of embeded chips, it's only matter of time...

There is an argument against Linux and Apple that says the only reason they are not subject to virus attacks is they are not as popular as windows. Virus writers want to cause as much havoc as possible, and get their names in the news, so they write for the biggest platform for largest destruction.

Now, if any of these Sith punks ever realized how much sheer havoc they could cause with a virus that attacks PLCs - something that affects the real world, not just the virtual one - it would be havoc on a totally new order.

It's probably only a matter of time, and somebody leaking a Rockwell OS source code, before we get hit hard...

TM

If....

Some PLCs have their operating systems in flash so the operating system can be update. If someone were get the binary image and patch it so the checksum is still valid, it could be downloaded and run. To do this one would need to disassemble the binary code into assembly language so an intelligent virus could be patched. It would also take some work to figure out how to make the checksum match. After all of that, one would need to log on to a network with PLCs and use the flash update program to download the modified firmware.

This would be a lot of work to infect a few PLCs of a certain type at a certain location. This could be done as sabotage at a plant. I don't see how it could spread.

Virus-like Programs

The only Virus or malware on PLCs Ive seen is programming that intends to fault a PLC Processor, or display nasty messages on display boards or HMIs. This subroutine can be hidden and can be very hard to find. People can do strange things when they feel they have been wronged.

If you knew enough about the communication protocols used it would be possible to write a virus that spreads to PLCs. But, it would be much easier to attack the network that the PLC is on, especially an Ethernet network.

If you know enough about the PLC to be dangerous, why wouldn't you just trash the program in it instead of wasting your time on a virus?

I don't think there is much of a danger of a virus being unleashed on the PLC world. As has already been mentioned, these script kiddies who write this **** are trying to cause the maximum damage possible. A PLC virus would only attack one machine or one production line or, at worst, one production plant. PLC's aren't all interlinked (in general) like computers on the world wide web.

If it was a disgruntled employee, they would more likely to just ruin the PLC program, or plant a bit of code that would execute after they'd left etc etc. Even then, most companies keep software backups and they would just reload the software and things would be back up and running.

Unlike a computer, there is (generally) no sensitive information on a PLC for someone to get hold of. Still... you never know...

I'm not prepared to rest easy just yet.

At the risk of sounding like I'm picking on them, I'm going to hold AB up as particularly vulnerable, because their Integrated Architecture push is creating an environment where this could take place. Large companies like Ford and such are increasingly signing on to this micro-management approach, creating direct links from the boss' desktop to the production equipment.

So let's get hypothetical here - an imaginative hacker targets a particular company. He knows he can get in the news by screwing up the internet, but also if an entire GM facility destroys itself. So he hacks into the plant LAN with a virus that infiltrates Factorytalk, reads the tags (I caught a virus once that got my entire Outlook Address book) and starts forcing on random outputs across the entire facility, making machinery smash itself, or possibly the operator. Could cost millions.

Now, I hold up AB for one other reason - I think they are aware of this. Every release of FactoryTalk has gone overboard pushing it's integrated security, so they must be conscious they are themselves creating this widespread risk.

The potential exists, and the threat is real. It's only a matter of time.

TM