Can a virus attack your plc?

A lot more details in this than I had read before about this attack. Interesting/Scary. Is an actual virus which can enter the PLC itself instead of the PC software very far behind?
 
Last edited:
Man, the implications of that kind of virus are mind-boggling. Spooky stuff, indeed.

Can you imagine the nightmare for the technicians at an infected plant, trying to track down the crazy VFD behavior? I can picture the guy swearing to his boss that the machine has a "mind of its own" and getting laughed at.

Guys always joke about "ghosts in the machine". Yikes
 
.

Can you imagine the nightmare for the technicians at an infected plant, trying to track down the crazy VFD behavior?


NO, this would be a nightmare, you download a program and its not the program you downloaded....

I now have two customers that are working in 'PLC Security', its good for me as they are buying my trainers and part of the package is they leave them at the site for their customers.

The cool part is one of them shows you how its done in the class and teaches you how to do it.... the best line of defense is knowing how its done

I do think this is a good field to get into, they are both charging a premium and are book solid

One simple thing is don't leave your CPU's in remote, its easy for someone to change the program if they are left in remote, this will not stop anyone from changing your PLC software on your laptop but it will stop them from a pure hack job.
 
I think securing the controllers must be multi-layered, and then you can get away with REM PROG MODE in A/B PLCs, but only when necessary as in the PLCs are inside an Arc flash hazard cabinet and the downtime incurred is greater than the time it takes to load from EEPROM.

Having never dealt with Siemens PLCs and bareful being able to follow a few threads here over the last gosh, six years; I feel falsely insulated from the Stuxnet type of attack.

I think revealing this much detail about the construction of the code...

The copycats are already underway. This is too much publicity. Maybe I have too much of a right wing attitude on the subject, but there is such a thing as too much public information.

I then imagine, what if something replaced a chunk of RSLogix, plus a stealth runtime version of ControlFlash, and secretly replaced the OS in my SLCs without ever dropping out of run...

And then remotely made my machines act up once every 27 days for a period of under an hour, right?

Yes, REM Prog is unwise even behind firewalls and V-Lans. I think I will propose that policy tomorrow to Mike and the Directors.

At least, we must monitor and alarm with the HMIs the actual status bits...I can add that to most on them in a few hours work.

But, honestly, that is not enough...Memory sticks are a big tool in the chest, must we abandon those too?

What if the code merely established global remote mapping of all I/O and sat dormant for a few years, waiting for the terrorist, to press "Test Edits".

Skeery friggin chit indeed.

Paul
 
Last edited:
...Having never dealt with Siemens PLCs and bareful being able to follow a few threads here over the last gosh, six years; I feel falsely insulated from the Stuxnet type of attack....

Hi Paul,

One of my customers does it will a MicroLogix 1100, so I am sure he can do it with a CLX or any other AB that is on the Ethernet network

That is part of his demo.... he sets up one of my trainers at his customers site, then hacks into their network and changes the plc program, this is with their firewall and security inplace

I also made him a S7 300 and S7 1200 that he does the saem with
 
Brilliant

Best read i have had for ages, quite frightening... They must have had loads of info on the actual system!!!
 
I guess I'd have to agree that there's too much publicity on this.

It's a fascinating story, but I could do w/o the details if it meant not letting some terrorist cell get ahold of some stuxnet source code. The next one might not be state-sponsored. And it almost certainly wouldn't be as well contained.

It's almost too bad that the virus was ever uncovered. Otherwise, how much more effective would it have been at its intended target? I guess it's a double-edged sword: the story exposes vulnerabilities that AB, Siemens and the other big guys will have to address, but it also plants the seed of other simiar attacks in the cyberterrorist's hands.

I know one thing, there's always a big push at work to bring in things like ProcessBook, and other online apps with our PLC's so the boys at corporate can keep an eye on things w/o having to get on a plane. This is definitely going to reinforce my position against it.

Our programming cpu's have always been non-network, but what good is that if the PLC itself is hooked up to the internet?
 
Good read. Very similar to Season 7 of 24 regarding the "CIP" device. A system that allows an 'attacker' to breach a nationwide firewall in the US and control things like air traffic control, water treatment, power stations etc.

I think the need for PLC security is limited though to those 'high risk' installations such as nuclear facilities. The average production line will not be a target and, even if it was, the damage would be limited to a few packs of biscuits over the floor or a few smashed bottles of spirits etc...

I think there would be a good Matt Damon film in there somewhere... ;-)
 
Uptown I'd agree that high risk installations should be a priority just because of the risks if something goes wrong there, but I'm not so sure an "average production line" would be safe by virtue of being a small target. If I understand correctly, Stuxnet didn't just interfere with program operation, it was set up to break equipment (in this case, centrifuges?). When a bunch of companies decided to stop doing business with Wikileaks, Anonymous attacked those companies, primarily DDOSing their websites and whatnot, but with Stuxnet, the cat's out of the bag, and I can think of a set of targets that Anonymous might want to hit with a tool like Stuxnet. I wouldn't say it's a case of "everybody panic" but it might be a good idea to ask yourself where you're vulnerable, and take smart precautions. The other thing to remember is that script kiddies and other people aren't just white knighting causes important to them, some of these folks do things "for teh lulz", which is to say, they get off on being mean spirited agents of chaos.
 
Hi Paul,

One of my customers does it will a MicroLogix 1100, so I am sure he can do it with a CLX or any other AB that is on the Ethernet network

That is part of his demo.... he sets up one of my trainers at his customers site, then hacks into their network and changes the plc program, this is with their firewall and security inplace

I also made him a S7 300 and S7 1200 that he does the saem with

To what extent does he change the program? And to what extent is he able to cover up his mischief? Can simply going online identify that running program is not the same?

I read the article, I thought it was an extremely good read. It did actually comfort me, as odd as that seems. It did so because of how specific the system had to be for it to be effective. On top of that, because of the minor glitches it caused, it made it a headache for their maintenance to actually find the root cause of, and therefore get rid off. They were able to cover their tracks because they knew the specifics of the system they were running. They knew what they had to look for to consider the system a "target".

Because of the specifics, I know this is not a threat to any production system other than it's target.

Certainly this does pose a treat to control systems, however what is the motivation? How much effort do you put in to cover your tracks. It's one thing to write a program and download it to some unknown controller and cause a plant shutdown (yes I realize process critical operations such as oil, gas, power this is a true security treat). But for other manufacturing/production operations this type of breach would be easy to find by maintenance and easy to fix. Sure a production time is lost, and it hurts a company but who would really know about it? Any ex-employee could plant code "bombs" and cause the same problems. I would think former employees would be the people with the motivation, not someone unknown to the process, who wouldn't know the full extend of their hacking... Now, if they could take down multiple controllers at a facility and create extended downtime that certainly raises the eye brows higher, but again how does the end hacker see their reward?

It is certainly a topic that will grow, and people should keep educated as to what is out there, but at the end of the day there are hundreds of other threats a facility faces each day (power outages, ID10T, hardware malfunctions, management...) which are more likely to cause a dangerous or shutdown situation than a hacker.
 
To what extent does he change the program? And to what extent is he able to cover up his mischief? Can simply going online identify that running program is not the same? .

I will see if I can get him to join in the conversation

Changing the program I think would be a easy fix IF there was not damage done by the program/process change, but watch the video... Siemens uses a software called S7, this virus changes the S7 software so you are screwed even if you know what is wrong with the program

however what is the motivation?

I would think in the end... money, look how many virus protection programs are for PC's its a huge business, what is the motivation for the bone heads making virus for the PC's
 

Similar Topics

Salve ragazzi... questa volta non so proprio da dove iniziare... ho bisogno di un immensa mano.ù volevo sapere cosa si deve fare per risanare il...
Replies
4
Views
2,608
I had an old boss reach out to me last night. He mentioned that their system had a huge virus that did all kinds of damage to their servers. They...
Replies
16
Views
4,158
Good Afternoon, Every 2 months we have a county wide Manufacturing Roundtable at a local college , but now it’s a Zoom conference now . We...
Replies
17
Views
5,592
Had an issue that started last Friday where my Anti-Virus software, AVG, got updated, and since then Rockwell software activations have ceased to...
Replies
23
Views
7,487
Here's another puzzle to take your mind off the current situation. Attached is some structured text that flashes the variable 'Flash'. A small...
Replies
2
Views
2,230
Back
Top Bottom