SLC5/04 Password

I recently started work for a new company. They have a machine controlled by a SLC 5/04 PLC. The processor is password protected. The company that built the machine is now out of business. My fear is that one day the processor will fail and that will be the end of the machine. We do not have a copy of the offline program. Is there a way of getting around the password to be able to get a copy of the program so we can keep it in storage in case of a processor failure?

If you do a search of "SLC password" on this site, you'll see that many have asked this same question and this type of info is taboo here. Contacting your A-B rep for assistance could be a step in the right direction.

Does it have en EPROM ?
If so, at least you can transfer the EPROM to a new CPU if needed.

Thanks, I will contact my AB rep.

you can contact your ab rep and fill out some paperwork.
that will give you your desired results less any program documentation.

i did that a long time ago.

regards,
james

The backdoor password is well known but can't be given on this site. Use your Googlefu and you will find it easily.

There was a similar question asked on this site. You should take a look:
http://www.eng-tips.com/viewthread.cfm?qid=51805

As for the backdoor password... If everyone knows, and it's google'able, what's the point of not posting it? Fundamentally, that password allows anyone with access over network or physically to alter the PLC program without your knowledge or consent. We should be ticked, not enabling backdoor passwords to continue as standard practice.

Mike

Modern controllers don't have backdoor passwords, at least not ones from RA.

Do you want them to go back 20 years and redesign the SLC-500 operating system ?

Set the OEM Lock Bit, write-protect the S2 Status file, turn the keyswitch to RUN mode and remove it from the controller. Done.

Is there a link to a Rockwell or AB document describing how to protect the controller from unauthorized use as you describe? I'd like to recommend it to clients, if the protections prove to be accurate under test.

Mike

Full Disclosure: I work for a company that does cyber security for industrial controls, so my views may be influenced by my experiences.

Ken - Unfortunately you can't do that if you want to use features in FactoryTalk. And a lot of SCADA systems can't live with the keyswitch solution. They need to be able to program remotely.

Your solution essentially neuters a lot of features rather than secures them.

And by the way, you can still send a Stop CPU command or other nasty things even in the config you suggest. There are Metasploit modules to do this.

Project Basecamp hopefully but to rest any doubt that "modern controllers" are insecure by design.

Some of the vendors are working on real security solutions; it will accelerated if customers ask for them.

Dale

dale_peterson said:

Ken - Unfortunately you can't do that if you want to use features in FactoryTalk. And a lot of SCADA systems can't live with the keyswitch solution. They need to be able to program remotely.

Your solution essentially neuters a lot of features rather than secures them.

Dale

Click to expand...

I was not aware that Factory Talk (HMI) or a SCADA systems could program a PLC. Can you please explain?

dale_peterson said:

Ken - Unfortunately you can't do that if you want to use features in FactoryTalk. And a lot of SCADA systems can't live with the keyswitch solution. They need to be able to program remotely.

Click to expand...

You might want to rethink that because you have been terribly misinformed.

mtoecker said:

As for the backdoor password... If everyone knows, and it's google'able, what's the point of not posting it?

Click to expand...

Because the owner / provider of the forum has asked us not to. This includes the link you posted which was not cool.

If people are not smart enough to use Google on thier own then they need to pay Rockwell to come and unlock the PLC for them.

Don't post links like that on this forum please.

I receive certain bulletins and newsflashes from AB on a regular basis. This one I remember getting earlier this year.
It's somewhat irrelevant to the OP's question, but relevant to the discussion.

66684 - Client Software Authentication Security Vulnerability in PLC5® and SLC™ 5/0x Controllers

Access Level: Everyone
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/66684

Note the reference, as Ken mentioned, to turning the processor key to the RUN position where possible to avoid communication vulnerabilities.
Also the use of Static Protection of Data Files to prevent changes to their address values over communications.

I also wanted to point out the password encryption option that was added to RSLogix 500/Micro at version 8.40 and above.

SLC/MicroLogix Unencrypted passwords are up to 10 digits numerical(0-9). Encrypted passwords are up to 10 alphanumerical characters(0-9, a-z, A-Z) and must include at least one letter.

Encrypted passwords do add a little bit more security apart from being harder to crack. As some of you may be aware, Unencrypted numerical SLC/MicroLogix passwords may be 'found' using certain 'methods', which I wont publicly divulge. However, if you use the Encrypted password option, they cannot be found using the aforementioned 'methods'.

G.

Thanks very much for that Knowledgebase link ! It's nice to see that glaring security hole patched for the SLC/MicroLogix family controllers and RSLogix 500.

I want to clarify something I said earlier; I never claimed that ControlLogix is "secure by design" or inherently secure in every way. I said that there is no backdoor password in the controller, because there is no backdoor password in the controller.

I got a brief explanation from my local RA office of a new model of ControlLogix Ethernet module that includes an onboard encryption engine. Interesting stuff.