Omni Special about hackers attacking PLC's

[ceilingwalker]

Last Wednesday night I watched Omni on PBS. It was a special about how hackers are now (or have been) hacking into networks and taking control of PLC's. Most notably were the centrifuges at an Iranian Uranium Enrichment Plant. Someone hacked it and destroyed centrifuges by controlling PLC's. Maybe this has been going on for years I just saw the special. Of course the idea of this happening has crossed my mind however, they gave a simple example of controlling street lights, at a busy intersection. Within minutes the hacker had taken control from the PLC and operated it remotely. Has anyone here come up against such an attack? Just curious.

 

[diat150]

my question is what kind of IT dept is letting high risk devices like PLC's be put out on public internet? The stuxnet(iran thing) was a completely different deal, as it was a specially formulated attack against a specific target.

 

[ceilingwalker]

my question is what kind of IT dept is letting high risk devices like PLC's be put out on public internet? The stuxnet(iran thing) was a completely different deal, as it was a specially formulated attack against a specific target.

If there is one thing technology has taught us it's that for every security measure, there is someone finding a way around it. I remember being at a remote oil field once and it is unmanned. If an experienced hacker wants in bad enough, I don't think it matters what kind of an I.T. department one has. I remember being given a warning by my bank not to long ago, warning that someone hacked into it and my personal information was now at risk. If a bank can't keep hackers out, who can? Just my thought on it.

 

[GaryS]

lookup Stuxnet virus
US Government, Siemens PLC on a very private network never available to the public they hacked in through a USB Flash Drive that one of the engineers took home and them back to the plant. it was sometime about 10 years ago

 

[ceilingwalker]

lookup Stuxnet virus
US Government, Siemens PLC on a very private network never available to the public they hacked in through a USB Flash Drive that one of the engineers took home and them back to the plant. it was sometime about 10 years ago

Stuxnet has three modules: a worm that executes all routines related to the main payload of the attack; a link file that automatically executes the propagated copies of the worm; and a rootkit component responsible for hiding all malicious files and processes, preventing detection of the presence of Stuxnet.[8]

The worm was at first identified by the security company VirusBlokAda in mid-June 2010.

Thanks for the info. This is really fascinating.

 

[LadderLogic]

The point is: so far all the known cases of PLCs hacking seem to be the work of governments in collaboration with the PLC manufacturer targeted to achieve a specific goal.

I am not saying that the controls networks should be wide open but calling PLCs 'high-risk devices' seems to be a bit too much.

There was an extensive discussion of Stuxnet on this forum when the news came out a few years ago. You may be able to search for it.

 

[jstolaruk]

Sounds like some of those authors took notes from the movie "Black Hat" where a hacker got into some ControlLogix processors and killed some VFDs that were responsible for circulating cooling water to fuel rods at a nuclear plant. The real "target" were some pumps controlled by the same drives at some mining dams. In the movie they showed the inside of the panel and sure enough there was a 1756 rack.

 

[Ron Beaufort]

from diat150:

my question is what kind of IT dept is letting high risk devices like PLC's be put out on public internet?

don't ask - you DON'T want to know ...

along these lines - has anybody been watching what's been going on with the new "on the internet" cars? ...

http://videos.komando.com/watch/577...-see-what-this-hacker-does-to-an-ordinary-car

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

quote from the second article:

Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.

so the question becomes: what kind of automobile manufacturer is letting high risk devices like cars be put out on the public internet?

.

 

[ASF]

Right on Ron.

Honestly, most first world countries would be completely f***ed if a hostile neighbour spent enough money on a cyber attack. Power systems, traffic systems, communication networks, cars, everything is vulnerable. This is why we should all play nice with our global neighbours.

 

[mk42]

https://ics-cert.us-cert.gov/

If industrial security is something you're interested in, the government actually offers hacking classes. The purpose is to show people what is possible, so that hopefully we can try to mitigate it.

Has anyone here come up against such an attack? Just curious.

I doubt anyone in here has come up against an actual malicious external hacker trying to harm their specific facility. What we are much more likely to face is the opporistic hacker. This could be a line worker who wants an unplanned break, or it could be someone on the internet who is scanning everything and happened to notice an opening at your facility. People are always scanning for devices to connect to. If your system is publicly accessible on the internet, people will find it. Oftentimes they don't even know who they are attacking, they do it for the fun of it.

For example: https://www.shodan.io/search?query=s7300

 

[JRB]

In that same PBS special, hackers were able to infiltrate home security systems. They were able to pick a protected
home, find its GPS coordinates, drive to the home, hack the security system, and walk in through the unlocked door.

 

[diat150]

calling PLCs 'high-risk devices' seems to be a bit too much.

if you have a plc on the public internet that controls a process, that is very much high risk. Ive seen it many times in oil and gas. If you have a device that is capable of hurting people or causing an environmental catastrophe out on the public internet where others can gain access and modify or sabotage the code, that is very much high risk. The person responsible should be held accountable when/if something like this happens.

 

[Ken Roach]

... killed some VFDs that were responsible for circulating cooling water to fuel rods at a nuclear plant.

Based on a true story !

Operators had to manually scram the Browns Ferry Unit 3 reactor in 2006 when the coolant loop VFDs faulted because of an Ethernet traffic overload. It was a network malfunction of some sort, rather than malicious hackers, but the point about network controls is there. I've never seen a report on the Browns Ferry incident that specified the manufacturer of the VFDs or the controllers.

I'm going to watch this episode sometime soon to see how much of it is sensationalism and how much is based on facts.

 

[bdoutney]

It also works in the other direction with Target losing 40 million credit card numbers after being hacked though their HVAC vendors stolen access credentials. Their losses are said to exceed $400 million.

http://www.computerworld.com/articl...nger-of-remotely-accessible-hvac-systems.html

 

[Paullys50]

While I agree that there is a threat, PLC networks are available through the internet via VPN access because the benefits outweigh the risks. As previously mentioned, the OP reference wasn't a 'hack', it was a planned, funded, executed attack.

I don't see the benefits of hacking a PLC directly. Seems to me that if something is hacked, they want something of value, or want the world to know about it. You can argue taking down critical infrastructure by hacking a PLC is a good motivator, and you are correct that will get national attention and is pretty high risk. But on everyday production systems, I fail to see it.
Hacking a Milk plant and running the pumps sporadically will cause production issues, but low Chocolate Milk supplies probably won't make headlines. Internally or to a disgruntled employee, maybe.

Now, of course, if they can get to the PLC network, my logic would say use the PLC network and it's vulnerabilities to to get to the 'business' systems. Just like the Target example. They didn't bother messing with the HVAC system at the location. They used it as a bridge to the good stuff. That's were the value is, email, business transactions, IP.... get the critical business information, who care's about production.