Network Virus & PLCs

[Gadelric]

I had an old boss reach out to me last night.
He mentioned that their system had a huge virus that did all kinds of damage to their servers.
They have seen some things freak out on the assembly lines after the attack.
I use to work at this facility, and they wanted me to come in and check on things.
I am unable to go to their facility as I am under a non compete.
I haven't seen PLCs get infected before, but that doesn't mean it isn't possible.
They are all AB PLCs and panel view HMIs.
I told them I was unable to provide a direct answer but I would poke around to see what I could find out.
I do know that a couple of there lines have managed switches, and told them to make sure IT looks them over to ensure there settings are still correct.

Is there any real fear that the virus would be in the PLC or are they just seeing odd things happen that are just coincidental?

I do know they use asset center to store their PLC files and activations and that server was infected.

Gad

 

[drbitboy]

I imagine there is a thread about stuxnet somewhere on this and other plc sites

 

[Ken Roach]

It's far more likely that there are HMIs, recipes, and databases that were damaged by the attack than the PLCs themselves. Or, they're seeing the sort of restart problems present after any unscheduled shutdown and are ascribing it to the cyberattack incident.

It's certainly not impossible, but I'm unaware of any in-the-wild attacks against Rockwell controllers. There's a good amount of potential demonstrated by white-hats, and some critical vulnerabilities in some products, but nothing that's been seen in the real world as part of espionage, sabotage, or extortion.

Unfortunately, vague descriptions like "things freak out" cannot be diagnosed without detailed in-person investigations.

 

[Gadelric]

Oddly enough, I was reading about this a while back, but I didn't think it was wide spread.
The article I was reading made it sound like this "virus" was specifically created for the purpose it eventually performed, crashing that lab in Iran.

I will hit them up tonight and have them look around for something that may or may not be collecting data.
I think I might even have an old thumb drive that had some of the original start up files that they could compare to and see if there is anything "new" that seems out of place.

Thanks for the reminder =)

Gad

 

[geniusintraining]

I imagine there is a thread about stuxnet somewhere on this and other plc sites

That was directed more towards Siemens I think https://en.wikipedia.org/wiki/Stuxnet

but I'm unaware of any in-the-wild attacks against Rockwell controllers

I sell a lot (a lot) of my trainers to 'cyber' companies, not sure if they are trying to hack in or protect against an attack but they are playing with them, so I am sure Rockwell is on someones list

 

[Ken Roach]

There are surely cyberweapons that target Rockwell controllers. It would be foolish to believe that there aren't already some of them latent, or being quietly tested, in American infrastructure and around the world.

I'm just not aware of any documented incident of them being triggered or deployed.

When Stuxnet was first being reported on, there was a CEO-level message to every Rockwell office around the world, which included the basic instruction: "DO NOT criticize this as a Siemens weakness, because we are surely next."

 

[TheWaterboy]

PanelView used to be Windows CE - perhaps that's a vector?

 

[mk42]

There are definitely viruses that can trash PCs, wrecking things like recipes that could have a perceived impact on PLCs. I haven't heard of them messing with managed switches, but it definitely seems like a good thing to check.



I've seen presentations on theoretical attacks on PLCs, but I've never heard of them being turned into real world problems, except Stuxnet and its variants.



Stuxnet was actually a little bit widespread in that PCs got infected outside of Iran, however it didn't do anything nefarious (besides spread) unless it detected certain key data that indicated it was the specific Iranian system they were targeting. Even then, the it wasn't really "exploiting" the PLC, it hacked the engineers PG to download extra code that it then hid online, among other things.

 

[drforsythe]

Was the name of the virus given? Chances are that the reason things are "freaking out" is because there were corrupted servers that contained production recipes and data or the communication links were broken as a result of the virus.

 

[VAN]

I had an old boss reach out to me last night.

I use to work at this facility, and they wanted me to come in and check on things.
I am unable to go to their facility as I am under a non compete.

Reach out as a friend or an old boss?

(Check on things) Do you get to charge a rate?

I've helped ex-co-workers in the past if they got in a jam on how to get through whatever. I'm unsure I'd go to an old bosses site without some kind of contract and a rate (and a scope which includes I get paid even if I can't fix your problems).

If you went on-site, these weird issues turn into everything was fine before Gadelric looked at it. Then it makes you the owner of the problems forever, say you do fix it but it keeps messing up or you give it a "fix" but it doesn't solve the real problem. Does that put you in the fire when production goes down?

 

[sparkie]

The problem with attacking PLCs through other cyber attack vectors is that PLC's run very, very specific programs with massive variability. Now, you could, theoretically, just randomly alter data, but the effects could be anything from nothing, to a total meltdown.


That is why it is my belief that attack vectors would have to be specific to the system involved (such as in stuxnet). I can't speak as to their situation without actually assessing the situation, but it is worth keeping an open mind over.

 

[kb9ttx]

I realized it is not exactly relevant to this thread, but the ISA has been working on a "Top 20 List of Secure Coding Practices for PLC’s" initiative. (https://top20.isa.org/)

I am sure that some of these might reduce the consequences of a virus attack. But it would depend on how the virus worked.

 

[Thomas_v2]

There are surely cyberweapons that target Rockwell controllers. It would be foolish to believe that there aren't already some of them latent, or being quietly tested, in American infrastructure and around the world.

The main problem of Stuxnet was Windows. There was a basic communication dll for communication to the Siemens plc which was replaced with a faked one, which modified the code you see at the controller and also placed different code in the plc. It does not need deep understanding of how to do this also on Rockwell or other controllers, but you need the 0-day exploits in Windows to distribute this over the network.

 

[jdbrandt]

I imagine there is a thread about stuxnet somewhere on this and other plc sites

Google "Zero Days". Pretty interesting video.

 

[jdbrandt]

I realized it is not exactly relevant to this thread, but the ISA has been working on a "Top 20 List of Secure Coding Practices for PLC’s" initiative. (https://top20.isa.org/)

I am sure that some of these might reduce the consequences of a virus attack. But it would depend on how the virus worked.

Oh, that'll work....not.

I cannot even convince plant managers and others to simply leave the keyswitch in the the RUN position.

Grrrr.