plc - corrupt ?

[Bit_Bucket_07]

Is the PLC a Siemens? If so, you might have got the Stuxnet trojan from your flash drive. It was targeted at specific plants, but there may be exceptions. I think Siemens offers fixes for that virus now.

Hmmm... I assumed that he meant that the program was stored on an EEPROM, not a USB RAM drive. Unless the PLC is connected to the Internet, it is unlikely that it would have contracted a virus.

That said, the EEPROM could certainly be corrupted, although I would be surprised if it passed a CRC test in such a condition. I would think that it's more likely that the program requires some sort of preset value in one or more registers and that those values may not have been stored on the EEPROM when the program was recorded.

 

[Lancie1]

Unless the PLC is connected to the Internet, it is unlikely that it would have contracted a virus.

"Unlikely" is not going to prevent some catastrophes. None of the uranium processing plants that Stuxnet attacked were known to be connected to the Internet. Stuxnet bypassed all the normal Siemens security checks. In the US, there are rumors about some power plants that have suffered shutdowns and other problems from PLC virus attacks. I think Homeland Security is keeping it very quiet and trying to keep a lid on the amount of the damages. See these stories:

http://www.foxnews.com/tech/2011/10/19/stuxnet-clone-duqu-hydrogen-bomb-cyberwarfare/

http://www.theregister.co.uk/2011/03/22/scada_exploits_released/

 

[Bit_Bucket_07]

"Unlikely" is not going to prevent some catastrophes.

Can't argue with that Lancie. The first virus that I ever encountered was making the rounds on a 3.5" floppy disk before the Internet even existed. A co-worker brought it back with him from Ontario.

 

[Jeff23spl]

The originators tried to eliminate all other facilities, but that was not guaranteed. Nothing in war is guaranteed. The enemy has cloned Stuxnet and fed it back as a changed version that attacks who-knows-what-all. Watch out about using off-the-street flash drives to move programs around in your PLCs.

This sounds like an ovni invasion to me and since we still doesn't know the plc brand and model, we can't give much advice...

 

[Lancie1]

Jeff, the PLCs targeted by Stuxnet were Siemens brand, and I have nothing against Siemens and think they make some great PLCs. That just happened to be the brand in the line of fire. Any other brand would (and have already) suffered the same fate. The Stuxnet worm was designed to attack Siemens PCS-7, WinCC and STEP7 industrial software applications that run on Windows. It had a time-disable feature on June 24, 2012, becoming dormant on that date, as far as is known.

You can find details by searching for "Stuxnet attack". The Stuxnet attack happened long ago and is a well-known organized successful attack on the Iranian uranimum centrifuges by changing the Siemens PLC programs to drive the centifuges at high speed until they self-destructed (although the programming details are still somewhat secret). The virus was introduced through migration from flash drives used by the programmers. In retaliation, the Iranians organized programmer groups to attack US power plants and other facilities with Stuxnet-like clones ("Duque" was one).

http://www.google.com/#sclient=psy-ab&hl=en&site=&source=hp&q=stuxnet+attack+on+iran%27s+nuclear+facilities&oq=Stuxnet+attack&gs_l=hp.1.2.0l6j0i30l4.2625.6016.1.8313.14.9.0.5.5.0.266.1720.0j6j3.9.0.les%3B..0.0...1c.1.4.hp.-W5BcwpG0GI&psj=1&bav=on.2,or.r_gc.r_pw.&bvm=bv.42768644,d.eWU&fp=b8500ad9da068ee6&biw=1024&bih=615

 

[Jeff23spl]

I changed my post after reading about it but as you said, any virus can only attack a softplc device or plc using a computer based system like a scada/DCS or hmi programs. It's enought to bring down a whole plant relying on a computer based DCS but this can't be a concern for any conventional plc that still use the solid and reserved hardware for logic control.
This is a reason why to keep all protections local and give limited access to DCS/scada system in case of wrong logic or just a bad operator move...In the other hand, unless someone works in a nuclear plant we shouldn't remain afraid of this because the virus as to know what to change and will probably just bring down another plc logic. So keeping a copy in case of issues works for this and most of all other case...
Do you remember in 99 how peoples was frighten about the 2000 bug and lack of information bring them to almost think that the earth could stop rotating? We should keep an eye on that but not much more unless we are specifiquely concerned...

your link doesn't work for me ?

 

[Lancie1]

It's enough to bring down a whole plant relying on a computer-based DCS, but this can't be a concern for any conventional plc that still uses the solid and reserved hardware for logic control.

The popular press reported Stuxnet as a "SCADA" virus" but if you look into the details, it really did not depend on any SCADA system at all. It simply looked for a particular type of plant running a specific PLC program. Even though it targeted the speed-control functions of centrifuges, it was estimated to have also attached itself to approximately 2% of other non-relatd Siemens PLCs in the US and UK. Stuxnet was designed to cross many types of platforms, and Stuxnet could find a path into almost any type of PLC-controlled system, not limited to SCADA systems.

The lesson is to assume that no PLC is safe from being infected, or that a PLC can be remotely controlled to do destructive damage to equipment.

Your link doesn't work for me.

Here is part of it.

In May 2011, the PBS program Need To Know cited a statement by Gary Samore, White House Coordinator for Arms Control and Weapons of Mass Destruction, in which he said, "we're glad they [the Iranians] are having trouble with their centrifuge machine and that we – the US and its allies – are doing everything we can to make sure that we complicate matters for them", offering "winking acknowledgement" of US involvement in Stuxnet.[21] According to The Daily Telegraph, a showreel that was played at a retirement party for the head of the Israel Defense Forces (IDF), Gabi Ashkenazi, included references to Stuxnet as one of his operational successes as the IDF chief of staff.[18] On 1 June 2012, an article in The New York Times said that Stuxnet is part of a U.S. and Israeli intelligence operation called "Operation Olympic Games", started under President George W. Bush and expanded under President Barack Obama.[22]

 

[Jeff23spl]

Their is a big difference for virus sensitive between Scada or softplc like PCS7 using a computer base windows running a display or logic software VS a completely dedicated plc directly and only running logic like a S7-200-300-400.

Now on dedicated HMI, like a Siemens Comfort or probably Panelview, you cam play a video using window media player or opening a PDF document but all these feature are windows CE based and more sensitive to a virus than an old SLC plc for exemple or a micro/compact/Clogix

 

[Lancie1]

No PLCs are safe from viruses, and providing any kind of permanent Internet link for a PLC is asking for some foreign group to worm in and take over control of your factory.

...all these feature are windows CE based and more sensitive to a virus than an old SLC plc for exemple or a micro/compact/Clogix

You better check into that. There is a free sofware program widely available that will drill into a Allen Bradley SLC and allow anyone to change any input or output without any other software, no virus needed. I am not the only one that thinks PLC internet connections are a danger. See this thread:

http://www.plctalk.net/qanda/showthread.php?t=77727
_

 

[Tharon]

No PLCs are safe from viruses, and providing any kind of permanent Internet link for a PLC is asking for some foreign group to worm in and take over control of your factory.
You better check into that. There is a free sofware program widely available that will drill into a Allen Bradley SLC and allow anyone to change any input or output without any other software.

I guess it depends on your definition of Virus. Are PLCs intrinsically safe from being tampered with while connected to an open network? No. Will a virus program infect and run on a PLC? That's a different question. I wouldn't call a free RSLinx alternative a virus that is affecting the PLCs. It could be used maliciously, but I don't think that means a virus.

It's like people referring to having accounts "hacked" that were really stolen usernames/passwords. No actual hacking need to have taken place, no virus or other malicious software. But they still refer to it as a "hack".

 

[Lancie1]

It's like people referring to having accounts "hacked" that were really stolen usernames/passwords.

For a PLC system invasion, it would be more accurate to say "we had a large company loss this morning, for some reason our process conveyors started running at 200% full speed, material was dumped, belts jammed and broke, and as a result we suffered severe damage to plant equipment. We will have to shut down the plant, and lay off some people for several months." Maybe that would convey the real message better than talking about hacks.

 

[Bluerobotz]

It could be a faulty plc yes. I had an AB CompactLogix L32E with this type of fault about 6 months ago. I was chasing faults round in circles for about 3 weeks, fixed one and another new one would appear. Swapped out the PLC and no more problems. No sign of any fault & no reported errors. Powered it up back at base and found it wouldn't talk to a DeviceNet card either. Piece of expensive Junk.

Dave