Can a virus attack your plc?

. Now, if they could take down multiple controllers at a facility and create extended downtime that certainly raises the eye brows higher, but again how does the end hacker see their reward?

Industrial sabotage can be a reason someone would develop as in the case of the article, i agree it also made me feel better the fact that it wasnt caused by random events rather than them planning it specifically, it does however open up a whole new can of worms to what extend random hacks can affect system operations...

Hackers are known to do attacks all be it only for recognition from their peers. Im sure there is a massive amount of "Black Cap" hackers that could easily make this n profitable trade

Rheinhardt
 
Ok ... so it appears I have been pulled in to this discussion :). I think I am going to respond briefly and then let anyone fire questions at me rather than incorrectly address anything so far.

1. The course that was mentioned to instruct a variety of entities (asset owners, regulators, auditors, cyber security professionals, field techs, engineers, executives) of the challenges within control system environments. I can elaborate more on this if there is interest.
2. My specific background was cyber, then 13 years full time cybersecurity then 6 years ago pulled in to the Bulk Electric System to deal with SCADA/CS cybersecurity issues and the NERC CIP requirements. After dealing with this and still working through it I found it necessary to create some training to help everyone understand the risk.
3. What do we go after in the 2 day training - the PLC, the HMI, OPC or the communications between them. Essentially none of them really run any traditional security controls by default (eg. anti-virus, trusted sessions, firewalls, etc) so it sadly is not very hard.
4. What do I mean by not very hard - well, I have attempted to mimic the 2006 DOE/INL Aurora study. In April I ran the class CNS 366/466 at DePaul University using undergrad and graduate students to see if I can take raw control system and cybersecurity people and have them break in. See http://www.controleng.com/single-ar...l-networks-and-cyber-security/ed80ef8d31.html

5. I am now running the commercial version of the course - see http://cybati.org

I will address questions as you have them - we have lots of work to do and I want to help and you can take the class too. But - foremost I want to help.

Matt Luallen
 
I work in the oil and gas industry and this is a big risk. someone with knowledge wouldnt even have to launch a cyber attack to cause some major damage.

Most facilities are on segregated scada only networks, but with multiple facilities on each network via radio link. It would only take someone with bad intentions to cause environmental harm. But really, this isnt just in regards to plc's and automation systems. there are many unmanned facilities in the gulf of mexico with which someone could sabotage just by driving up by boat.
 
but with Stuxnet, the cat's out of the bag, and I can think of a set of targets that Anonymous might want to hit with a tool like Stuxnet. I wouldn't say it's a case of "everybody panic" but it might be a good idea to ask yourself where you're vulnerable, and take smart precautions. The other thing to remember is that script kiddies and other people aren't just white knighting causes important to them, some of these folks do things "for teh lulz", which is to say, they get off on being mean spirited agents of chaos.

Stuxnet was all or nothing, and now that the "cat's out of the bag," is completely neutered and useless.

It used 4 zero day exploits (rare and valuable) and targeted a specific type of system that was well understood by the attackers. It used multiple layers of encryption to obscure it's purpose and some bits of it still haven't even been decoded. The level of sophistication is incredible. They had an expert in windows vulnerabilities, and expert in Step7 to PLC communications, and knew enough about the target system that they were sending profibus commands to specific types of drives when they detected the right conditions.

This aint' script kiddie **** that can be used over and over "for teh lulz." While I agree with your assessment that it would be smart to consider cybersecurity measures to protect your control systems, the notion that the /b/tards are going to taking down automated facilities all over the globe based on stuxnet is absurd at best.
 
Monkeyhead I may have phrased what I meant poorly, and for that I apologize. Stuxnet itself was a one shot weapon, designed with a specific target in mind. So, no, no one is going to be using Stuxnet for anything else. When I said the cat's out of the bag, I meant the idea of attacking the automation portions of plants. Your use of /b/tards highly suggests you know about the kind of people I am speaking, so would it be fair to say that some of them might try something that isn't as sophisticated as Stuxnet? I highly doubt that the results would be global, but I wouldn't want to be at that one facility where they got lucky.
 
I will see if I can get him to join in the conversation

Changing the program I think would be a easy fix IF there was not damage done by the program/process change, but watch the video... Siemens uses a software called S7, this virus changes the S7 software so you are screwed even if you know what is wrong with the program



I would think in the end... money, look how many virus protection programs are for PC's its a huge business, what is the motivation for the bone heads making virus for the PC's

But in order screw up a process, you have to have some idea of what need to do to break it. In this instance it used vulnerabilities in Step7 and it was so sophisticated it could mask it's operations. But, it could only mask itself because they knew what to mask. It clearly needed to know multiple variables in order to do damage. The creators clearly understood what equipment Iran was using for it's process. I think the equipment is even documented in the article. Because the creators knew the equipment being used, they knew what to break, and how to break it.

For OEM's that's a big eye opener. For SI's and "one-off" systems, its more complicated to determine what to "break".

I can't imagine what it would take to build code that could "learn" a process, differentiate "critical" and "non critical" processes, and determine how to "break" a process, and at the same time masking what was really going on.

Even if the hacker just cleared the plc memory, put the plc in program mode, or re-downloaded...how is that sudden stop much different than an emergency stop situation?

I agree, money is a motivator. Gain valuable knowledge and sell it. Like PC virus's and malware that track your data entry hoping to capture personal info...then sell it. Now, if someone wanted to hack into Coca-Cola's automation system to acquire the recipe for Coca-Cola, that's value. But only if you keep it quiet until you can sell the recipe. No money if you just break their system...
 
Ok ... so it appears I have been pulled in to this discussion :). I think I am going to respond briefly and then let anyone fire questions at me rather than incorrectly address anything so far.

1. The course that was mentioned to instruct a variety of entities (asset owners, regulators, auditors, cyber security professionals, field techs, engineers, executives) of the challenges within control system environments. I can elaborate more on this if there is interest.
2. My specific background was cyber, then 13 years full time cybersecurity then 6 years ago pulled in to the Bulk Electric System to deal with SCADA/CS cybersecurity issues and the NERC CIP requirements. After dealing with this and still working through it I found it necessary to create some training to help everyone understand the risk.
3. What do we go after in the 2 day training - the PLC, the HMI, OPC or the communications between them. Essentially none of them really run any traditional security controls by default (eg. anti-virus, trusted sessions, firewalls, etc) so it sadly is not very hard.
4. What do I mean by not very hard - well, I have attempted to mimic the 2006 DOE/INL Aurora study. In April I ran the class CNS 366/466 at DePaul University using undergrad and graduate students to see if I can take raw control system and cybersecurity people and have them break in. See http://www.controleng.com/single-ar...l-networks-and-cyber-security/ed80ef8d31.html

5. I am now running the commercial version of the course - see http://cybati.org

I will address questions as you have them - we have lots of work to do and I want to help and you can take the class too. But - foremost I want to help.

Matt Luallen

Welcome to the forums and thanks for chiming in!

Can you elaborate on #4? How do you define the "breaking" of a raw control system? How does an end user recover from this "breaking"?
 
But in order screw up a process...

How about if they do it to a newer system, like a ControlLogix....

They hack into the system, search for active nodes...they find a node and upload the program, on the program upload they notice a tag "fire_suppression" so... lets turn that off, also see the tag "tank_pump" lets delete all of the logix before that.... and one more.... well you get the point

I would not need to know the system to screw up their plant, if they are in remote program they are going to have a bad day
 
Siemens uses a software called S7, this virus changes the S7 software so you are screwed even if you know what is wrong with the program


This could just as easily be RSLogix or Unity Pro or any other PLC programming tool, in this instance the target was controlled by Siemens, had the Iran plant been using Control Logix then that would have been hit.

The virus starts in the Windows controlled environment, takes control of the information passing between the windows environment and the PLC and then modifies the PLC code and as it controls the windows environment, thus controls what you can see on-line.

As said.. scary.
 
I understand where you are coming from, and yes you could cause a bad day, but what you are talking about involves a lot of human intervention. Not a virus or malware. In your example YOU break their system, maintenance determines that the PLC got hosed "some how", they download the correct program and fix any thing else and it's just another day at the office. You cause financial damage to the company, but you gain nothing but the joy that you know how to change plc code...so where is the motivation? That goes back to my ex-employee comment.

Malware/Viruses do things automatically. They spread automatically, they do the dirty work automatically. Stuxnet could do what it did automatically because it knew what to look for.
 
..... Not a virus or malware. In your example YOU break their system, ....

Malware/Viruses do things automatically. They spread automatically, they do the dirty work automatically. Stuxnet could do what it did automatically because it knew what to look for.

Agree.... point taken
 
Stuxnet was targeted to protect everything else. What's to stop some cyber punk with a grudge against any particular company to launch an unrestricted attack? He|| they don't even need motivation ... think of Lulsec and Anonymous ... Wikileaks ... When these hackers get a taste of real destruction? Don't fool yourself, they will be flocking.

Think of the first time you wrote a program and started a machine and it performed beautifully, and that awesome feeling of pride of your design and power over the machine got you into this field? Hackers will eat that schtuff right UP...
 
Think of the first time you wrote a program and started a machine and it performed beautifully, and that awesome feeling of pride of your design and power over the machine got you into this field? Hackers will eat that schtuff right UP...

I agree i tend to think for alot of them it is about the pride involved, showing their "peers" what they are capable of doing!!!

In the end it will come down to that individuals knowledge of that specific system, i dont know of anyone one individual with the capabilities of realizing a complete software attack like this. Some in either aspects of the software yes.

But get a hacking expert and a system specialist together that share a mutual cause, oh dear!!!!
 
I agree with Paully's in that I think it would be very difficult for a PLC 'hacker' to do any real damage unless they were very familiar with the process.

They could delete the PLC program. They could mess with Datablocks etc but they couldn't target a specific part of the program that would cause damage without understanding the process intimately.

In the case of Stuxnet, it deployed some datablock on the system (something like DB706 if memory serves) and it targeted a specific type of drive and ONLY if that drive was running at a certain frequency etc etc. Stuxnet was a designed to pinpoint a certain process.

Any other worm that was designed to be a more generic attack would struggle to 'mask' itself as it wouldn't know what effect it's payload would have. Setting every marker bit from 0.0 to 100.0 would effect one machine different to another. Without this specificity then the worms effect would be sporadic to say the least.

Again, as Paully said, the chances of a worm doing any more damage than a plant power outage for instance, would be remote (in my humble). Although, it is obviously still very important that we understand that this capability does exist and then if problems start appearing such as code getting mysteriously changed etc then we know to consider the possibility of a worm attack...
 
In the case of Stuxnet, it deployed some datablock on the system (something like DB706 if memory serves) and it targeted a specific type of drive and ONLY if that drive was running at a certain frequency etc etc. Stuxnet was a designed to pinpoint a certain process.

Any other worm that was designed to be a more generic attack would struggle to 'mask' itself as it wouldn't know what effect it's payload would have. Setting every marker bit from 0.0 to 100.0 would effect one machine different to another. Without this specificity then the worms effect would be sporadic to say the least.

That's where I run into the question of "mindset". Obviously the folks who wrote Stuxnet wanted it to work on the control systems for the centrifuges. But it also looks to me like they took efforts to avoid harming other systems, to the point where someone using the same hardware for a completely different purpose could be infected, but not have to worry about anything. Someone launching an attack for the lulz probably wouldn't be too concerned about causing collateral damage, but again, I think these guys (whoever they were) tried very hard to avoid collateral damage.

There's also a second question that I have, and not just for you, Uptown. A lot of folks here have pointed out that in order to do real, substantive damage, a hacker would have to know the system he's attacking intimately. If a hacker can get something into your system, could he get, say, the ladder logic out? Being that I'm new to this, I take great pains to ensure that my rungs are commented in a way that my boss can see what I'm doing, and that there's a record for the future, so that someone who's working on my work after my co-op ends doesn't have to struggle to understand what my code is doing. That kind of annotated logic is probably good for the folks I work for/with, but it's also the last thing I'd want to see in the hands of a malicious actor.:unsure:
 

Similar Topics

Salve ragazzi... questa volta non so proprio da dove iniziare... ho bisogno di un immensa mano.ù volevo sapere cosa si deve fare per risanare il...
Replies
4
Views
2,608
I had an old boss reach out to me last night. He mentioned that their system had a huge virus that did all kinds of damage to their servers. They...
Replies
16
Views
4,158
Good Afternoon, Every 2 months we have a county wide Manufacturing Roundtable at a local college , but now it’s a Zoom conference now . We...
Replies
17
Views
5,592
Had an issue that started last Friday where my Anti-Virus software, AVG, got updated, and since then Rockwell software activations have ceased to...
Replies
23
Views
7,485
Here's another puzzle to take your mind off the current situation. Attached is some structured text that flashes the variable 'Flash'. A small...
Replies
2
Views
2,230
Back
Top Bottom