In the Hacker Age, How Secure Is Your PLC?

In the Hacker Age, How Secure Is Your PLC?

By Bill Dehner, Technical Marketing at AutomationDirect.com

Let’s face it, hackers have racked up some pretty impressive scores lately. From the most recent WannaCry attack, to exposing Ashley Madison, to reportedly “stealing an election”, hackers have been busy exploiting vulnerabilities and gaining massive notoriety. A recent study by the Identity Theft Resource Center concluded that in 2016 U.S companies and government agencies were breached 1,093 times. That’s a new record and a 40% increase from the 780 breaches in 2015.

But it’s just not the number of attacks, it’s the resulting damage that’s so striking. In the 2014 Home Depot data breach, hackers compromised store self-check-out terminals and stole email and credit card information from more than 50 million customers. Fifty million! It is estimated that this one attack will cost Home Depot at least $179 million in restitution, with some estimates much higher when legal fees and undisclosed payouts are accounted for.

The Home Depot breach was one of many wake-up calls for the corporate world, but unfortunately some of the biggest government agencies were also asleep. The 2015 IRS data breach, where hackers infiltrated the Internal Revenue Service’s “Get Transcript” system and gained access to over 700,000 accounts which contained sensitive financial information and Social Security numbers, is believed to have cost taxpayers $50 million in bogus claims (Figure 1).

Figure 1: A recent study shows U.S companies and government agencies were breached more than 1000 times in 2016, with claims and restitution easily exceeding $200 million.

There’s no way around it, hacking has become a very profitable business. That’s why hackers are so persistent and why they are constantly improving their methods. Methods range from simple phishing emails, which trick victims into providing personal information through a fraudulent email (phishing scams account for about 56 percent of all breaches last year according to the Identity Theft Resource Center), to Denial of Service (DOS) attacks, which attempt to overload a website with traffic causing a crash, to cookie theft.

 

Makes Me WannaCry

And while you are probably familiar with phishing since we all seem to have distant relatives in Nigeria who left us an inheritance, or like me, your PayPal account supposedly has a problem and is about to be frozen, hackers are constantly looking for new avenues and techniques. Some of these techniques can even originate from unexpected places, as was seen with the recent WannaCry ransomware attack.

This attack was made possible by a data breach at the National Security Agency (NSA). The NSA had recently discovered a vulnerability in the Windows operating system that would provide an undetected window into computer systems worldwide. Instead of reporting the vulnerability, they filed it away as a means for future intelligence gathering.

Unfortunately, a group of hackers, known as Shadow Brokers, stole a host of NSA documents and released them on the internet. These documents contained details about the Windows vulnerability which led to the creation of WannaCry, believed to have originated from North Korea. So far, WannaCry has compromised more than 200,000 computers in 150 countries around the globe, locking people and corporations out of their data and demanding a ransom to regain access.

 

What about PLCs?

Hackers, especially state-sponsored ones, are extremely active and are becoming more brazen, well-funded, and capable of pulling off ever more sophisticated attacks. State-sponsored hackers aren’t solely focused on the profits that organized crime hackers seek, with possible targets including a rival country’s infrastructure or economy. A country’s power grid, water treatment facilities, military systems or nuclear sites are some of the possible targets for these rogue states. Regrettably, one technique that can be used to facilitate these attacks has already been highly publicized and yes, it involved PLCs.

The Stuxnet virus, believed to be a joint venture between Washington D.C. and Tel Aviv, was used to attack Siemens PLCs at the Iranian nuclear plant in Natanz. The virus was believed to have entered the nuclear facility on a thumb drive. Once inside, Stuxnet compromised the facility’s PLCs, collecting information and causing fast-spinning centrifuges to rotate out of control and destroy themselves. Reportedly, Stuxnet ruined almost 20% of Iran's nuclear centrifuges. Although the Stuxnet attack was used ostensibly to deal a critical blow to the nuclear capabilities of a worrisome government, the attack consequently provided new avenues for those who wish to replicate such destruction.

A study conducted on the Stuxnet virus by the SAP research group in Germany concluded that Stuxnet successfully proved that a very targeted and highly sophisticated cyberwarfare attack was possible. The study also found Stuxnet’s design and architecture were not domain-specific, and with some modifications could be tailored as a platform for attacking other automated systems, for example in automobile or power plants.

 

PLCs with Added Security

For many years, the industrial sector was isolated from the outside world, foregoing open communication for in-house proprietary networks. This type of communication provided a level of inherent security from prying eyes and those wishing to do harm. But with the recent acceptance and explosion of Ethernet in the industrial world, and with the current drive to connect as many “things” as possible through Ethernet and the Industrial Internet of Things (IIoT), industry is more vulnerable than ever.

It’s imperative in today’s connected world that industrial plants and facilities guard their automation systems from possible cyber attacks. Using firewalls, backing up and encrypting data, keeping firmware/software updated, and using antivirus software where possible are all ways to protect from attacks. But what about the PLC itself? Some newer PLCs, like the AutomationDirect Do-more BRX, have multiple security measures built in to help guard against unwanted intrusion (Figure 2).  

Figure 2 BRX PLC: To protect data and controlled machines and processes, this AutomationDirect Do-more BRX PLC has several cybersecurity measures built-in.

Guest Memory:The PLC reserves a group of internal memory blocks specifically for external communication. These blocks are isolated to prevent external devices (operator panels, HMIs, etc.) from being able to directly control the PLC's I/O and memory. This method of communication secures the native memory from unwanted access through communication channels.

In practice, when operating as a Modbus server using either Modbus/TCP or Modbus/RTU, the PLC routes all Modbus read and write requests from external devices to the four isolated memory blocks reserved for external communication (Figure 3). The information stored in this guest memory is available to any ladder logic instruction and can be accessed in place by these instructions. When operating as a Modbus client, the Modbus Network Read (MRX) and Modbus Network Write (MWX) instructions can access all the native memory, as well as the guest memory for any outgoing message data (Figure 4).  

Figure 3: This diagram depicts external read/write using guest memory for Server applications in the a PLC.

Session-based Communication: Many PLCs, like the Do-more BRX, will be installed on networks with varying degrees of isolation. This can cause security concerns for programmers and OEMs who need to have communication with the PLC restricted to authorized personnel only. To this end, some PLCs’ programming software use communication sessions when time that the software is online with the PLC.

When communication sessions are established, they are done so with a unique ID, and all communication packets must contain that ID. Any packets received without that ID are discarded by the PLC. This prevents unauthorized access of the PLC, and also prevents other computers on the network from accidentally accessing the wrong PLC. A timeout system is also utilized and will terminate a session after a period of time with no communication between the programming software and the PLC. The session must be re-established before communication can continue.

Figure 4: This diagram depicts external read/write using ladder instructions for Client applications in a PLC.

Passwords/User Accounts: System security includes more than simply allowing or denying the ability to connect to a PLC based on a user ID and password. System security also permits the creation of accounts to allow or deny access to the different resources in the PLC. By creating multiple accounts, each with different levels of access, users can efficiently limit who has access to the PLC, and what each of those users can and cannot do. With user accounts, users can also track the operations performed by each account. The Event Log messages will record the active user account for each logged event, showing exactly who had access and when.

Advances in industrial communication have provided numerous improvements including faster responses and wider access. However, these advances have also opened up the industrial sector to increasingly active hackers and their growing arsenal of cyber threats.

Because of this, it is very important to guard who has physical and online access to your automation systems. There are many ways to keep your facilities and networks safe and some PLCs, including the Do-more BRX, offer built-in security measures to help fend off those with bad intentions.

About the Author

Bill Dehner has spent the majority of his eleven-year engineering career designing and installing industrial control systems for the oil & gas, power, and package handling industries. He holds a bachelor’s degree in Electrical Engineering with an associate’s in Avionics from the USAF, and is currently working for AutomationDirect as a technical marketing engineer.

MORE ARTICLES

VIEW ALL

RELATED