Master PLC Spoofing

[elevmike]

http://www.dcbnet.com/datasheet/se6600ds.html

This link appears to be dead. Is it just me?

 

[Tark]

This link appears to be dead. Is it just me?

Worked for me last night, but not now.

 

[TIC]

You better had make sure you do a sound job next time - whoever you have upset ( and you HAVE upset them big time) has good radio and plc knowledge , and what do they have to gain - yes sure , I needle people when they mess with me , but only a bit , unless there is money in it , why bother .
As the man said , if you want revenge , dig two graves . I think there is a bit more to this than meets the eye - what does this guy get out of bringing thr network down ? not money , can't be , disruption is OK , but you need to see things bumping into one another to make it worthwhile . I think your man has someone who is telling him just what is going on , and the result it has , he couldn't possibly know otherwise .
You might spend loads on a solution , for the knowledge to go straight out the factory door . Look closer to home.

 

[CaseyK]

Hopefully, all equipment has safety features built in, and there is no way anyone operating or repairing the machinery could get hurt!

 

[TIC]

I am sure thinking about this that it would be easy to build in a little key token system , the master generates a random number sequence and each slave cyclically replies on by one to each pole , the reply is based on a simple algorithm , you can use divide by 4 or nine , there are many ways to do this , OK , so it slows up band width , but it would take a long time to crack it without the code - OK , you cant stop the hack , but you can detect it and catch the bugger - he can't be too far away .
PS , you are a radio guy , surely you can triangulate him , might not get him the first time , but you will the second , he is bound to use the same place - he must drive a 7.5 tonne van , radio , antenna , PLC , power supplies etc?
Something isn't right about this ???!!!...

 

[Chuck Hoyt]

Of course I'm prejudiced, but sometimes the customer must go wireless when the SCADA system is spread out for miles. As mentioned earlier, the way to go is Spread Spectrum and preferably Ethernet. The Ethernet radios we deal with have 8 layers of security and even if it were an insider trying to hack the system, as long as only a chosen few truly had access to the radio configuration, it would be virtually impossible to hack into the system, because they utilize many of the TCP/IP stack layers that other don't. I'm talking 900MHz radios here, not your typical 2.4 802.11 etc types of radios. But yes, I agree that if you can go with wire/fiber and can afford to add the runs within an industrial plant type of situation, you should go for it! Thanks for your comment, I really appreciate everyone taking time to respond.
Chuck

 

[Chuck Hoyt]

They have remote sights all over the place anywhere from a couple of miles to as far out as 18 to 20 miles with rolling hills inbetween and many sites without true line of site.

This is the kind of information I'm looking for, of course I would expect and hope that their PLC people would know to do this, but I'll pass this on to them just in case. How much time/effort would you estimate this would take to go back in and add this programming to an existing system? You guys are great! Too bad our industry doesn't have a similar site as this

 

[Chuck Hoyt]

Very Cool!! Before I came on to put this problem before the group, I did attempt to research the web for just this sort of product, but I didn't see this one. I can't thank you guys enough!
Chuck

 

[Chuck Hoyt]

Ditto!

 

[Chuck Hoyt]

The system has been running flawlessly for about 5 years and we are contracted to perform the PM every year, so yes, if it were a new system I might suspect something like that. I am going to contact the customer again and get more details for those of you who have taken the time to think about and comment. I'm hoping that the device that Monkeyhead found will take care of the problem and give our company an answer to our licensed frequency customers (which typically are water customers) when they have security concerns. Thanks
Chuck

 

[Chuck Hoyt]

Wow, the resources here are amazing! It is very common for the high power licensed radios and the PLCs to live in harmony, it is a standard installation, and the system has been running great for all these years. They have some reason to beleive that it is an individual that is causing this problem. I'm sorry guys, I just don't have all the info but I'll try to get some more details.

 

[sirhiss2]

I don't know if this will help.

I was involved with a project about 5 years ago or so,the company I was dealing with were using Omron PLC's. They approched me to try to use wireless comm.'s. What I found out was that the PLC's Industrial Ethernet card was really expensive. So I found a Transceiver Lantronics (Cobox) for about $300-$400Cdn. (Approx $2 American, Ha ha, Just kidding.) Converted RS485 to Ethernet. I then Used a Lucent Access Point with 128 bit encription. (They may have better now.)So I went from PLC to PLC converting 485 to ethernet and trnsmitting ethernet wirelessly, then converting back to RS485 for the PLC. Worked like a charm. I don't think these Cobox's will work with AB PLC where they use a different Comm. Protocol. but's it's worth looking at.

Best of luck.

 

[elevmike]

They have remote sights all over the place anywhere from a couple of miles to as far out as 18 to 20 miles with rolling hills inbetween and many sites without true line of site.

This is the kind of information I'm looking for, of course I would expect and hope that their PLC people would know to do this, but I'll pass this on to them just in case. How much time/effort would you estimate this would take to go back in and add this programming to an existing system? You guys are great! Too bad our industry doesn't have a similar site as this

I think it would be far less expensive and complicated, and way more secure to install the encryption hardware that Monkeyhead posted.

 

[Chuck Hoyt]

OK guys, I just got off the phone with this gentleman & I'm a bit embarassed, only because what I understood to be an actual attack on his system was a simulation where they were investigating the possible ways that a "terrorist" could disrupt or take over the system! (hey, at least I'm admitting it! Ha!) Actually, I think it's still a good thing that this topic came up, because I'm sure it will surface sooner or later again for all of us. All of your comments and suggestions were very valueble to me and I have passed it all on to the customer. If you still have some thoughts on the subject, I'm eager to hear them. SO, THANK YOU EVERYBODY FOR YOUR THOUGHTFUL RESPONSES!! Let me know if I can be of any help to you.
Chuck

 

[CaseyK]

EDITED QUOTE:

he can't be too far away .

he must drive a 7.5 tonne van , radio , antenna , PLC , power supplies etc?

He wouldn't need much for an antenns, maybe a small yagi a foot or two long.

A small 25 watt transceiver could easily plug into the cigarette lighter of his Toyota or Honda.

Shame the system can't send him a Taser blast in return!

regards.....casey