PLC Vulnerability

Trying a new, blunt method of communication because numerous blog entries, presentations and papers just aren’t getting through. Please read and reread the following paragraph:

If you have network access to almost any PLC, RTU or other type of field device, then you can take complete control of that field device and the underlying process. This has always been true. There is no “vulnerability” required in the product because there is no authentication required to upload new firmware, ladder logic, send process change/write commands or whatever you want to do.

All you need to do is a bit of protocol analysis to understand how the Engineering Work Station communicates with the PLC, and then an attacker can completely control the PLC and underlying process.

This is very old news, despite all the excitement caused by the Beresford incident. INL dubbed it the Boreas Vulnerability around 2008.

Digital Bond presented a paper at S4 2009 showing how we loaded rogue firmware into a Rockwell Automation ControlLogix and a Koyo ECOM-400. What we loaded was orders of magnitude less sophisticated in how it affected a process as compared Stuxnet, but it only took a couple of weeks. Here is the paper.

To date neither these vendors, nor Siemens, nor any other vendor has addressed this underlying problem of lack of any authentication or security controls to prevent someone with logical access from modifying whatever they want however they want. If you want to buy a brand new, full featured PLC/PAC/RTU you can’t get even simple source and data authentication. We have been waiting to herald the first vendor that offers this.

Oddly enough there is some protocol security in the industrial wireless protocols such as WirelessHART and ISA 100, and WirelessHART devices have been deployed in significant numbers. But the wired systems that form the majority of SCADA and DCS field devices are unchanged.

There is a caveat on this that properly designed Safety Systems will prevent a control system from doing certain things that could cause catastrophic events, but now vendors are promoting, and users are buying, safety systems integrated with control systems so the safety systems can often be similarly compromised with the same logical/network access.

Some field devices have a physical key that can prevent any changes to the program in the field device, but this is often impractical  to lock — especially in a SCADA system covering a large geographic area.

Image by L.Bö