You are not registered yet. Please click here to register!


 
 
plc storereviewsdownloads
This board is for PLC Related Q&A ONLY. Please DON'T use it for advertising, etc.
 
Try our online PLC Simulator- FREE.  Click here now to try it.

New Here? Please read this important info!!!


Go Back   PLCS.net - Interactive Q & A > PLCS.net - Interactive Q & A > LIVE PLC Questions And Answers

Reply
 
Thread Tools Display Modes
Old February 27th, 2021, 03:44 PM   #1
the_msp
Lifetime Supporting Member
United Kingdom

the_msp is offline
 
the_msp's Avatar
 
Join Date: May 2008
Location: Northern Ireland
Posts: 979
Rockwell security vulnerability

I saw a post over on IA; https://forum.inductiveautomation.co...ut-of-10/43904


Didn't see one here, if a duplicate topic please link to other thread and we can delete this one.
__________________
Regards,

Patrick G. B.Eng MIET

Making the flashy lights flash since the 90's

SCADA - Inductive Automation Gold Integrator | PLC | Control Panels | Robotics | Training

Connect with Matrix Engineering
  Reply With Quote
Old February 27th, 2021, 09:36 PM   #2
_Dock_
Member
United States

_Dock_ is offline
 
Join Date: Sep 2015
Location: KY
Posts: 478
Should it happen? No. But, stupid is as stupid does.

It’s been discussed on here before but the “S” in IOT stands for security.
  Reply With Quote
Old February 28th, 2021, 04:54 PM   #3
I_Automation
Member
United States

I_Automation is offline
 
I_Automation's Avatar
 
Join Date: Jun 2020
Location: Detroit, Michigan USA
Posts: 531
I just got an email from RA about it


KB article says to put the key switches in RUN as there's nothing that can be done. [don't have the email at home or the KB#, but it was Level:Everyone]



Going to have to be firmware updates for every version of the entire family.
  Reply With Quote
Old February 28th, 2021, 05:04 PM   #4
Phrog30
Member
United States

Phrog30 is offline
 
Join Date: Dec 2006
Location: Montgomery, Alabama
Posts: 781
Quote:
Originally Posted by I_Automation View Post
Going to have to be firmware updates for every version of the entire family.
Which RA will force users to pay for.
  Reply With Quote
Old February 28th, 2021, 05:32 PM   #5
PreLC
Member
United States

PreLC is online now
 
PreLC's Avatar
 
Join Date: Apr 2019
Location: Mars
Posts: 337
Are you folks using factory talk security anyways? I integrated that into my plant a year ago and whenever I talk to external controls engineers I find that this feature isn't used in the first place...
__________________
Ask not what your PLC can do for you, ask what you can do for your PLC.
  Reply With Quote
Old February 28th, 2021, 05:51 PM   #6
VAN
Member
United States

VAN is offline
 
Join Date: Apr 2012
Location: Wa
Posts: 423
Quote:
Originally Posted by I_Automation View Post
I just got an email from RA about it


KB article says to put the key switches in RUN as there's nothing that can be done. [don't have the email at home or the KB#, but it was Level:Everyone]



Going to have to be firmware updates for every version of the entire family.
Isn't following NIST standards negate the security risk, also if your production network has internet access you're already WAY behind.
  Reply With Quote
Old February 28th, 2021, 06:43 PM   #7
I_Automation
Member
United States

I_Automation is offline
 
I_Automation's Avatar
 
Join Date: Jun 2020
Location: Detroit, Michigan USA
Posts: 531
Quote:
Originally Posted by VAN View Post
also if your production network has internet access you're already WAY behind.

I have customers that demand immediate online diagnosis, and programming sometimes.


The number of CLX PLC's out there that are not going to be disconnected, put in Run mode and probably not get a firmware update has to be staggering - and mouth-watering to a hacker.


Friday I told one customer about this (that has a CLX run line online & keeping it that way) and he said hackers only go after the big guys and military or government sites. I told him those sites are pretty well protected and hackers do like to test their skill on small, unimportant targets.
  Reply With Quote
Old March 1st, 2021, 01:21 AM   #8
PreLC
Member
United States

PreLC is online now
 
PreLC's Avatar
 
Join Date: Apr 2019
Location: Mars
Posts: 337
Quote:
Originally Posted by I_Automation View Post
I have customers that demand immediate online diagnosis, and programming sometimes.

Were you authenticating yourself with factorytalk security when you remotely logged on in the first place? I know this has a 10/10 on the vulnerability scale, but barely anyone I know uses these featureset in the first place, especially small businesses are far from being able to do it at all, because of a lack of server infrastructure and assetcenter cost being restrictive.
__________________
Ask not what your PLC can do for you, ask what you can do for your PLC.

Last edited by PreLC; March 1st, 2021 at 01:50 AM.
  Reply With Quote
Old March 1st, 2021, 01:28 AM   #9
Saffa
Member
New Zealand

Saffa is offline
 
Join Date: Feb 2012
Location: Bay of Plenty
Posts: 1,199
VPN, firewalls, whitelists. Yes it's not perfect, but it sure does reduce the risk.
  Reply With Quote
Old March 1st, 2021, 11:26 AM   #10
VAN
Member
United States

VAN is offline
 
Join Date: Apr 2012
Location: Wa
Posts: 423
Quote:
Originally Posted by I_Automation View Post
I have customers that demand immediate online diagnosis, and programming sometimes.


The number of CLX PLC's out there that are not going to be disconnected, put in Run mode and probably not get a firmware update has to be staggering - and mouth-watering to a hacker.


Friday I told one customer about this (that has a CLX run line online & keeping it that way) and he said hackers only go after the big guys and military or government sites. I told him those sites are pretty well protected and hackers do like to test their skill on small, unimportant targets.
I would just make sure you have it documented that you told them what they need to do. Because if they get taken out, they will see you as the problem not the person that told them it was an issue. When doing R&D I always had them disconnect the physical ethernet connection but it was internal project through a vpn to a remote workstation.
  Reply With Quote
Old March 1st, 2021, 11:44 AM   #11
Geospark
Lifetime Supporting Member
Ireland

Geospark is offline
 
Geospark's Avatar
 
Join Date: Feb 2012
Location: Kildare
Posts: 3,011
CVSS v3.1 Base Score: 10.0/CRITICAL

Yeah, got an email on this last week. Wasn't sure whether to share it publicly but here we are. Rockwell, what a clustersmuck you can be?...

ID: PN1550 | Access Levels: Everyone
Authentication Bypass Vulnerability Found in Logix Controllers

Definitely agree with Saffa. At a minimum, no industrial based controllers should be outwardly facing the Wicked World Web. Defense in Depth approach is a must really. The more layers the less likely they are to persist in trying to reach these controllers.

G.
__________________
"A little nonsense now and then is relished by the wisest men".
  Reply With Quote
Old March 1st, 2021, 11:59 AM   #12
harryting
Lifetime Supporting Member
United States

harryting is offline
 
harryting's Avatar
 
Join Date: May 2002
Location: Puget Sound
Posts: 2,319
I saw this on ars technica:

https://arstechnica.com/information-...-10-out-of-10/

and I was like, so? If you put the PLC on the internet without protection you are already in trouble and like other mentioned, very few people use FT security.

btw. My personal philosophy is that if a remote connection have the ability to change programming then there need to be an "analog" verification steps like physically throw a switch or connect a cable on-site.
  Reply With Quote
Old March 1st, 2021, 12:45 PM   #13
I_Automation
Member
United States

I_Automation is offline
 
I_Automation's Avatar
 
Join Date: Jun 2020
Location: Detroit, Michigan USA
Posts: 531
Quote:
Originally Posted by VAN View Post
I would just make sure you have it documented that you told them what they need to do. Because if they get taken out, they will see you as the problem not the person that told them it was an issue. When doing R&D I always had them disconnect the physical ethernet connection but it was internal project through a vpn to a remote workstation.
Did that C.Y.A.

Thanks for the suggestion
  Reply With Quote
Old March 1st, 2021, 03:12 PM   #14
mk42
Lifetime Supporting Member
United States

mk42 is offline
 
Join Date: Jun 2013
Location: MI
Posts: 2,694
Quote:
Originally Posted by harryting View Post
btw. My personal philosophy is that if a remote connection have the ability to change programming then there need to be an "analog" verification steps like physically throw a switch or connect a cable on-site.
The VPN/Remote Connection best practice that I've always seen is to have a key switch that enables/disables the remote connectivity. Best method is to use an input on the VPN device configured to only enable the VPN when input is on. 2nd best method is the brute force cut power to VPN device unless it is needed. Bad option is to send the pairs of the ethernet cable through a relay; that can add noise/etc.

I've also seen a pushbutton going to a PLC which then starts a timer and sends a signal via an output to do one of the above.

Seems to strike a good balance between "OEM can support" and "End User is in control".
  Reply With Quote
Reply
Jump to Live PLC Question and Answer Forum

Bookmarks


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Thread Thread Starter Forum Replies Last Post
I'm in trouble....need help! wingcals1462 LIVE PLC Questions And Answers 8 June 5th, 2015 02:33 AM
Omron Security FAIL oceanwanderlust LIVE PLC Questions And Answers 5 December 15th, 2014 02:57 PM
Apple and Rockwell arkansascontrols LIVE PLC Questions And Answers 3 November 17th, 2014 06:30 PM
Rockwell... EuanK LIVE PLC Questions And Answers 17 November 5th, 2014 09:58 PM
InTouch and usernames & passwords metaller LIVE PLC Questions And Answers 10 September 20th, 2006 01:09 PM


All times are GMT -4. The time now is 10:42 AM.


.