Can a virus attack your plc?

[Paullys50]

That's where I run into the question of "mindset". Obviously the folks who wrote Stuxnet wanted it to work on the control systems for the centrifuges. But it also looks to me like they took efforts to avoid harming other systems, to the point where someone using the same hardware for a completely different purpose could be infected, but not have to worry about anything. Someone launching an attack for the lulz probably wouldn't be too concerned about causing collateral damage, but again, I think these guys (whoever they were) tried very hard to avoid collateral damage.

There's also a second question that I have, and not just for you, Uptown. A lot of folks here have pointed out that in order to do real, substantive damage, a hacker would have to know the system he's attacking intimately. If a hacker can get something into your system, could he get, say, the ladder logic out? Being that I'm new to this, I take great pains to ensure that my rungs are commented in a way that my boss can see what I'm doing, and that there's a record for the future, so that someone who's working on my work after my co-op ends doesn't have to struggle to understand what my code is doing. That kind of annotated logic is probably good for the folks I work for/with, but it's also the last thing I'd want to see in the hands of a malicious actor.

Depending on the platform, the comments are typically not stored in the PLC. So an upload of logic, especially if it is extremely complex is going to be a challenge to understand what the process the system is controlling. And again, you introduce the need for human intervention to analyze the logic you stole, and human intervention to engineer specific logic to cause damage to this particular system....

----
Granted Stuxnet was designed for a "target" and most likely designed to prevent collateral damage...

I really question how capable it was at "masking" it's payload. I can't imagine that Stuxnet would have the ability to mask any and all of target logic ...on a complex system such as this I really feel (all opinion) that they knew the process, they knew how to damage it, and they knew they could mask this damaging code to the end user. I just don't believe they had the ability to mask the entire "target" code and completely replace all if it with any logic they wanted. Footprint of that would have to be massive in comparison with the target.

I think a true virus/malware that could dynamically learn a process, dynamically choose a "payload", and dynamically deliver that to the end user and keep it masked for a period of time would be extremely difficult to develop and deploy. Windows XP as an OS is extremely ubiquitous and makes a great target. With all the PLC brands, types and models out there, I think it would be an astonishing accomplishment to build something that could "adapt" to all the variables in the automation world.

 

[robpaige]

Paully I was actually envisioning human involvement. The way I see it, attacking an automated facility would probably have to be a 3 part process:
1. Inject something like a PLC equivalent of a keylogger to steal information. (The stuxnet guys probably didn't have to do much, if any, of this, it sounds like they hired experts and skipped to step 2)
2. Human analysis of the stolen data to figure out what's important to target, how to target it, and write the delivery package.
3. Release the virus, and let it make it's way to the target.

The kind of stuff that a virus would have to do to avoid human interaction entirely, that's less virus and more artificial intelligence of a remarkably high order. It's probably beyond the amount of work even the most dedicated hacker would be willing to do (too much effort for too little gain?) and it's almost certainly beyond their capabilities. That said, I'm trying to look at this from the perspective of someone who wants to cause chaos for the heck of it. But to be brutally honest, I'm still so new to all of this, that I don't even know if I'm asking the right questions. I don't want to look like an idiot, but I am extremely curious about this.

 

[gscure]

Siemens Issues SIMATIC Security Advisory

I havent looked at all of the links in all of the posts but here is a link that talks about the pontential hacker entry point for the S7 family of PLC's.

http://www.designnews.com/author.asp?section_id=1381&doc_id=231085&

 

[CYBATI]

Cybersecurity.

Sorry for jumping offline - hectic times.

Nonetheless, in answer to 1 question, when I said raw control system - i was referring to the students. It was interesting to have both undergraduate and graduate students that only 1 even had been in a control environment setting. I used the course to see how well these "raw students" could attack the environment. The lab kit included a HMI, Ethernet/IP communications path and a PLC. In the end the "raw students" were only able to deny communications even given the actual hardware. The reality is that most cybersecurity professionals are trained on defending not attacking so this was very new. They all saw the vulnerabilities though of full access and openness if you can get in some way (wireless, wire tap, physical direct [break-in], physical indirect [compromise a field tech laptop, USB devices]).

Here is some more information on the physical indirect [USB Devices] - we just posted it on Control Engineering's website. http://www.controleng.com/home/sing...b-drive-at-the-door-seriously/61a2c3f64c.html

 

[Paullys50]

IMHO security will eventually meet wits with Cost/Benefit and Risk analysis scenarios and the topic will fade until a major producer actually falls victim. When plant managers look at their downtime/lost production reports a security breach won't even register on the map. Preventive maintenance, Operator Error, Mechanical/Electrical failure, ingredients out of spec...will all trump the "other" category; which is where I would place a security breach. Of course, this will vary depending on that risk analysis I mentioned.

While usb drives can be an easy way into a facility, they certainly are not the only way. The cost of preventing outside data-devices would be staggering for a plant to do it right. At any given time while I am on site, I'll have a few usb thumb drives, a portable hard drive for my images, two smart phones (work and personal) and my laptop. You can't confiscate everything I bring, as I won't be able to do my job. You could send all of those items to IT for a security scan, but when it comes to a company laptop...that's gonna have confidential information on it which the IT department should not have access too. Now my bill goes higher due to my loss in productivity.

I have been in one plant where the IT department locked out all USB ports on their computers. Files had to be emailed to their IT department and they would transfer them to the computers. Or you could burn them on a CD. Or, you could setup a shared folder. Inconvenience and loss of productivity for me and still openings for invasion as I could still use my laptop, and I could burn cds.

To do it right, a company could need to have "contractor" laptops and drives that are IT cleaned and scanned. All outside files would have to be scanned and tracked. That would be extremely costly especially if they need to license every possible piece of software a contractor might need. And if it's a crappy laptop with poor settings, loss of productivity for me, and a higher bill for them.

I am sure the bean counters will find the "proper" solution

 

[jdbrandt]

this is all so modern....and I thought I stumbled on a good one when I discovered what S:77 did to a PLC5!!!

 

[Clay B.]

Reading this article I can see lots of ways people can get in but I have agree with several in here. Once you are in and figure a way to extract the code from the PLC and HMI and you somehow understand how the machine works and what it is supposed to do you still have to interpit the program.

I have over the years looked at a lot of different code writen by different people and as we all know with most processes they are 10 ways to Sunday to get it done. That being said you would then have to come up with some scheme to hid what you did or it is a one shot deal. Plus if someone is suspicous then they can do a code comparison between what was original and what is currently in the system. Heck I do that now to see if the "locals" have been messing about.

 

[RMA]

Plus if someone is suspicous then they can do a code comparison between what was original and what is currently in the system. Heck I do that now to see if the "locals" have been messing about.

One of the important bits of Stuxnet was that it replaced the DLL resposible for communication between the PC and the PLC so that if you tried to do a compare then you saw what ought to have been there instead of what Stuxnet had actually inserted.

 

[OkiePC]

you still have to interpit the program.

No you don't. You just throw a random short lived memory chitstorm at it. You don't care what happens if you are just trying to wreak destruction, or cause technical difficulty, confusion and downtime...you don't need to know what the devices are controlling, just that you, now are controlling the I/O...

I wrote a progam in QBASIC, to:
1) Start:
2) Pick a random number between 0.0 and 1.0.
3) //Poke junk into memory

3a) Calculate the memory range alloted to the OS.
3b) Generate a random number in the range of memory
3c) Poke a random number there
​

4) sleep a couple of seconds
5) Goto Start

That program was compiled as a standalone exe using QB4.5 and I just used it to try to see how my old junk PC would deal with it in DOS. The PC might run a maximum of two or three minutes and then freeze (yank the power cord freeze).

That little snippet of standalone code actually still works up through WinXP. It has locked up every machine that I have run it on to this day.

I wrote it only knowing a couple of DOS calls to obtain memory locations in the form required by POKE. You only need information about the system if you care about maximizing damage or avoid certain collateral damage. Hackers don't necessarily care about any of that.

What they care about is telling their buddies; "Hey, did you hear about that fire at the peanut mill?" "Yeah" "I think I caused that, dude!"..."Mmm, an' I'm 'bout to get paid for the next one..."

My little program which I dubbed "Memory Sh*t Storm" didn't care about collateral damage, but the few times I ran it, (on crash test dummy PCs) it never corrupted any disc files. It would be a no brainer to attack there I'm sure.

I think we (maybe already) will see a resurgence in proprietery networks and protocols for critical infrastructure, but us little guys who just make food and stuff leaving our PLCs in REMote Run, with weaknesses in the connection to the IT systems are sitting ducks, so we should pay attention. I would settle for a coral snake colored copper Ethernet Patch Cable that I could yank to isolate our network from thiers...

Hey, GIT, there's an untapped market...Snake pattern ptch cable sleeves with a white patch an indelible Pen for labelling critical ethernet cables.

I wish I could post some pics of our network hardware. It seems our IT guys are so buried in upgrades, and jumping so far into virtualization, that, with their heads in the clouds, its even easier to ignore the wires and switches...

 

[gbradley]

Here is a slick video on the Stuxnet.
Stuxnet: Anatomy of a Computer Virus

 

[ganutenator]

port 502

what okie said.

 

[JanitorsTears]

Is the Stuxnet payload built directly into Rockwell software?

 

[RheinhardtP]

It was a Siemens issue not Rockwell

 

[JanitorsTears]

It was a Siemens issue not Rockwell

Go you!

Is the Stuxnet payload built directly into Rockwell software?

 

[RheinhardtP]

My only suggestion is for you to maybe do a bit more research on the stuxnet. There is way too much information to answer you in a one line reply.