Major Manufacturer Admits PLC Security Breach

News update from Eric Byres and S. Claus


November 27, 2012


With the advent of Advanced Persistent Threats such as Stuxnet, Night Dragon, Duqu and Shamoon, many manufacturing and process control facilities have been faced with eradicating malware from their SCADA and ICS systems. However, few are talking about what happened and how they addressed it publically.


Today we are fortunate that Mr. Santa Claus has decided to tell the story of how the kAndyKAn3 worm attacked the toy packaging system at North Pole Toys. Instead of putting one toy per box, multiple toys where going into one box, while other boxes were being wrapped while still empty. Initially, the problem was thought to be a PLC problem, but all the ladder logic appeared to be correct.


With the help of Joel Langill, also known as SCADAhacker, the kAndyKAn3 worm was identified in the toy packaging systems. Unfortunately it had also already infiltrated the main office database, packaging and shipping systems.


Like Stuxnet, the worm contained a PLC programming station rootkit that prevented the elves from detecting the changes it had made to the PLC logic. Further investigation showed that kAndyKAn3 was introduced into the apparently air gapped toy packaging line via a Christmas CD by Celine Dion.


SCADAhacker led the effort to implement a Defense in Depth plan. This included the installation of in-line security appliances with industrial firewalls for multiple security zones of equipment in each of the Toy Workshop, Toy Assembly, Toy Packaging and Toy Shipping systems.


Other measures taken, included replacing a USB data transfer strategy with electronic transfer through DMZs and industrial firewalls, and beginning the process of educating key elves on industry standards and best practices for security.


Overtime, a full Defense in Depth solution will be applied following the ISA/IEC 62443 standards for control system security. As a final preventative measure, all Celine Dion CDs are now banned at North Pole Toys.


The lesson to be learnt is that if malware can reach the North Pole, it can reach any facility.


For the full story, see today’s blog article: Major Manufacturer Admits PLC Security Breach.

Related Links

•    Blog: 3rd Annual Controls Engineer Holiday Gift Suggestion
•    Blog: Defense in Depth Part 1
•    Blog: Defense in Depth Part 2
•    Webpage: Tofino Security Appliance