PLC Hacking

RLast week I introduced our Project Basecamp – Hacking PLC’s. This will be the Digital Bond paper at S4. There have been a number of questions of what we are doing, why we are doing it, what disclosure process we will follow … I’ll start with the why in this entry, and there is a technical answer and an ICS security community answer to that question.

The technical answer is easy; it’s a very cool project. We have the equipment in our lab so why not share it with some talented researchers, focus them on at least eight different PLC vulnerability classes, and let them collaborate on attack methodologies. We expect to get some good comparison data on vulnerabilities and build up a knowledge base on attacking PLC’s. And since the work has started I can tell you, not surprisingly, that some of the PLC’s are better from a security perspective than others.

However, in all honesty, the genesis of the Project Basecamp is an anger and frustration that we have made little progress in PLC and other field device security in the last, lost decade. Frustration that our clients can’t even purchase a reasonably secure PLC or RTU today. Frustration that even after Stuxnet and Beresford the issue fades away.

Many have said that Digital Bond and a couple of others have been too tough on Siemens, and this is a problem that all PLC’s have. Just the opposite is true. The ICS security community, automation press, Siemens customers, … have all been much too easy on Siemens. The Stuxnet and Beresford vulnerabilities in the S7 PLC are still there!

Let me repeat that … the Stuxnet and Beresford vulnerabilities in the S7 PLC are still there!

Nothing has changed. I cannot understand why everyone who covers this industry and every customer who uses Siemens S7 PLC’s is not asking Siemens hard questions like we posted earlier every chance they get. Are we really as a community going to shrug our shoulders and go another ten years like this?

This really hit me hard at the post Black Hat press conference where our industry experts said this was not a Siemens problem, this is a problem with all PLC’s/RTU’s, it has existed for a long time, we all know about it. How true and how sad that is. Congratulations. We all knew about it, but this is a huge failure by the ICS security community.

In July I went on a day hike with Ralph where he told me if things don’t change he won’t be doing ICS security at the end of this decade. I feel the same. If we can’t make progress on this basic and critical security issue it is not worth wasting time on ICS security.

By no means am I, or Digital Bond as a company, blameless for the lost decade. The prime example is when we demonstrated any attacker’s firmware could be easily loaded on the Rockwell Automation ControlLogix Ethernet card in January 2009 at S4. We played by the implied rules, kept in it the community, tried to avoid any sensational press, and nothing changed.

To the best of my knowledge, this simple to exploit, insecure by design feature is still there. Any attacker with logical access can have complete control of an ICS with ControlLogix. Fail. Not only for Rockwell Automation but also for all their customers and Digital Bond.

Long time readers of this site have probably noticed a more strident tone since Stuxnet. This project is an extension of that tone and an effort to highlight the issue in a more effective way so that customers demand a solution. We don’t know if it will work, but we do know the way we have approached the problem in the past didn’t work.

Finally, we hope that there is some good news to report about some of the devices tested. Many of the vendors making the SCADA and DCS applications that run on servers and workstations have made great progress on security. There are SCADA and DCS we recommend from a security perspective. And we hope that in the near future there are one or more PLC/RTU/IED vendors that step up on security. Vendors that we can hold out as examples for the rest of the industry and recommend to our clients who care about security.