Malware in a PLC?

This is a huge topic actually. How to put contracts together to the satisfaction of buyer and seller. It is also a real problem if each contract is different from each other. You can spend weeks negotiating just what must be in the contracts, not the real stuff like what has to delivered, when and what it shall cost.
Because of that there are standards that can be referred to and which are usually known to both parties. One such is Orgalime which we use:
https://licensing.orgalime.org/index.php/publications/en/?PHPSESSID=g9d9lvr28npilfer84hl9ne3r1
So referring to this in the contract simplifies it a lot.
 
JesperMP said:
I can see your argument, but it would be unacceptable for us.
One thing is payment, the other thing is responsibility of safety. Until takeover, we are responsible for the safety. After takeover the buyer is responsible for the safety (not including safety issues due to design or construction).
It would be unacceptable for us that we would be responsible for a machine in operation at a customer, and we would be liable if an accident happen due to the customers own negligance.

I imagine that if a customer would demand something like you descibe that, we would offer that 1% of the contract sum would be dependant on the final documentation.
But we would never accept to allow the customer using the machine without taking over the ownership and responsibility of safety.
Click to expand...




The amounts can change from customers to customers but we generally have something like that in France:


30% paid at the order
20-30% paid at the end and validation of the development
30-40% paid at the end of the installation and the start of the production. It is called provisionnal acceptance or reception.
10% when every points remaining are solved and sometimes it can last a long time since the customer will nitpick everything to delay paying the final amount and ask for things that were not in the initial scope.



It can take up to 6 months, one year, or sometimes more to recover these last 10%. The customer has full responsability of the safety of their site and machine once the production has started.
 
I did a job a few years back with a know bad payer.
Nobody would touch them.
I had sacked them long before for an unpaid invoice.

They had a huge panel that was breaking down nearly every day
They had the cheek to ask me to supply and build a replacement.


I gave them a price double of what it would normally be and insisted on 50% up front.
That 50% actually covered everything.

They paid that and I installed it during the Christmas break.
A little bird told me they were filing for bankruptcy - so I had double reason to set a time bomb.

Sure enough, they went bankrupt on Dec 31st and started as a different company Jan 1st. Same people, same machines.
My debt was now with the administrators.

I had told them 'any funny business and the machine will stop.

The machine did stop and some wrangling ensued.
But in law, they had bought back their machinery in a 'as is' state.

The administrators told me there was no chance of me recovering my debt from the old company as they owed more to the inland revenue that the assets were worth.

So it came down to my price to make the machine work again for the new company
That price was the second 50%
They paid by bank transfer and I then told the to press and hold a certain button on the hmi for 20 seconds and it would permanently reset.
 
If they are demanding ransom. Then call there bluff and advise them to collect the equipment and you will go somewhere else (ripping out at there expense). Any company that uses blackmail is untrust worthy and won't be allowed back on site anyway because they could subsequently damage the machine.
 
Ronnie Sullivan said:
told the to press and hold a certain button on the hmi for 20 seconds and it would permanently reset.
Click to expand...

Bet they feel ripped off for a simple fix.

I would have required a specific value be entered in something that was out of range (say, temperature 1 setpoint set to 32678, then it will clear and leave the setpoint where it was)

Or give them a list of quite a few specific steps that really do nothing, then hold that button.
 
James Mcquade said:
goghie,


I got into this business in September 1986, and in all that time there are contracts with payment clauses and terms. Sometimes the payments and clauses, contract terms and scopes of work gets changed, again it's on paper.
in the original post, the terms were spelled out and there is a warranty issue, that's when the vendor demanded an immediate payment. To me, that's a red flag. this is when you dot every I and cross every t and triple check all paperwork. just my opinion.
james
Click to expand...


I am with you here. And on top of all that, we add bonds to our contracts. These only get paid out to the supplier once the guarantee period have run out, or to us, if we are legally entitled to it. But a supplier can't request a bond payout before the term.

I don't have the full story of what happened here, or why the supplier decided to walk off site and demanded payment. But if he did install some malware or time bomb, it was premeditated. So he knew things were going south.



And just to answer some other comments, the "machine" is a small processing plant. It is the code that ties everything together, so telling him to "take" it will not work. The plant is either running with the supplier's code, or they had to get someone else in to get the code working. I will see if I can get some more info.
 
Steve Bailey said:
I've always figured that when you find yourself seriously considering things like logic bombs in your code for some of your customers, it's time to start looking for a better class of customer.
Click to expand...


This. I wouldn't deal with anyone who considers this as good practice and I certainly wouldn't do it myself. Commercials and Politics are not Engineering.
 

Similar Topics

geniusintraining
Sality malware ?
More hack issues on PLCs The Hacker News: Hackers Distributing Password Cracking Tool for PLCs and HMIs to Target Industrial Systems...
Replies
1
Views
1,249
Robb B
R
celichi
Schneider, Omron targeted by electricity grid malware
https://www.digitaljournal.com/pr/schneider-omron-targeted-by-electricity-grid-malware If you are using these PLCs, you may want to dig into this...
Replies
2
Views
1,688
harryting
H
A
OT: PIPEDREAM malware
Anyone else heard of PIPEDREAM? Is it a real threat or hype? What can we do to protect control systems from malware (other than refusing to...
Replies
5
Views
2,496
A_G
A
M
Risanare il pc dopo un attacco virus o malware
Salve ragazzi... questa volta non so proprio da dove iniziare... ho bisogno di un immensa mano.ù volevo sapere cosa si deve fare per risanare il...
Replies
4
Views
2,623
Monaci
M
F
Anti Virus-Anti Malware on Control Systems
We have been using a commercial Enterprise version of Anti-Virus, Anti-Malware, etc. on our Citect control system for four years now, and have no...
Replies
7
Views
4,412
FLAengineer
F
Back
Top Bottom