PLC

January is the Cruelest Month

Early in 2012 Eric Byres wrote a blog article predicting what he thought would happen in 2012 with regards to SCADA and ICS security. I went back to his blog and highlighted the four main predictions he made. Then I asked him to rate himself on each one.

Editor's Note

Today is the day that Tofino Security is announcing that I have joined their team.  I am very excited about this, particularly because I believe that industrial cyber security is the next major impactful technology to hit the automation industries.

I am also excited to be joining Eric and Joann Byres and their group; people I have high regard for, as I believe Tofino Security technology is poised to lead the way in protecting the critical infrastructure industries.

After suggesting a sous-vide oven as a gift idea for control engineers, I was looking forward to designing my own homemade system from PLC parts over the holidays.  However, my project never got off the ground as my wife Joann gave me the real thing.  (Perhaps she couldn’t stand the thought of having my home-built electronics in the kitchen…)

Last week I received a humorous note from Dr. Paul Dorey directing me to two side-by-side lead articles in the latest Automation.com eNewsletter, Programmable Automation Controllers (PAC) Update.

Recently I was asked “How could a hacker possibly attack an industrial controller like a PLC or SIS, since there is no operating system in these devices?”

Now some manufacturers would like people to believe there is no operating system in a controller, but unfortunately this is not true. Every RTU, PLC, SIS or DCS controller on the market today has a commercial operating system in it. For example, here are just a few I have worked directly with in the past:

There has been a lot of media coverage and discussion of the Stuxnet malware, and its impact on industrial control system (ICS) and SCADA security. We are one of the groups guilty of creating a Stuxnet publishing industry.

In the post-Stuxnet cyber security world, many vendors are actively thinking about protective measures that could prevent a similar attack on industrial systems.

Such measures could be implemented at the PC-level, the PLC-level, or even the Profibus or device-level. They could include methods such as antivirus-scanners, firewalls, patch management, password policies, USB usage policies, code integrity checkers, etc. However, all of these measures are ones that are implemented at the highest levels of an industrial system.

Over the past two weeks, there has been considerable progress in determining exactly what industrial process Stuxnet’s creators were trying to destroy. This news is not good for the industrial control system and SCADA communities.

First the Symantec team announced that one of Stuxnet’s payloads was designed to change the output frequencies of specific Variable Frequency Drives (VFDs) and thus the speed of the motors connected to them, essentially sabotaging the industrial process.

Week after week, the Stuxnet worm continues to amuse and astound all of us that have studied it. Last week it was Ralph Langner’s detailed analysis that showed Stuxnet wasn’t just infecting Windows boxes and stealing data, it was specifically designed to modify PLC logic so it could destroy a physical process. Next it is the amazing number of Windows zero-day vulnerabilities* it exploits to do its dirty work.

Back in July when Stuxnet first became public, I wrote in our Siemens PCS7 WinCC Malware White Paper and told anyone that would listen that Stuxnet was targeted at stealing intellectual property from process systems. The code we analyzed showed Stuxnet performing SQL database accesses and process information uploading to servers in Denmark and Malaysia, so this seemed like a sure answer.

Last week I wrote about a malicious attack on an industrial control system (ICS) initiated by outsiders. This week I'll discuss a PLC accident caused by an insider, and suggest some possible solutions for both of these incidents.

We had a request recently from a reader to provide an example of a malicious attack by outsiders on a control system, how it was done, and what impact it had on the plant and the owner. This is surprisingly tough to do, because according to RISI the vast majority of security incidents are internal and/or accidental in nature. Additionally, people whose control systems have been hacked do not like to talk about it - why give attackers more info and ideas than they already have?