PLC security in the age of the IIoT

The connectivity brought by the industrial internet of things can lead to bad outcomes if security measures aren’t up to snuff. Here are a few key considerations for keeping machines safe from those with evil intentions.

Joseph Zulick, MRO Electric and Supply
Programmable logic controllers, also known as PLCs, initially were conceived in the late 1960s. PLCs were designed to replace relay-based machine control systems in the major U.S. vehicle manufacturing space. The relay-based control systems were considered hard to use and were disliked amongst those in the automation and manufacturing industries.

In 1968, Dick Morley of Bedford Associates in Mass. designed the Modular Digital Controller, later dubbed the Modicon. After the Modicon 084’s initiation into the world, there was no looking back to those relay-based control systems.

PLCs are user-friendly microprocessor-based specialty computers that carry out control functions, many of which involve high levels of complexity. They are engineered to endure harsh and strenuous situations such as in heated, cooled and even moist environments. Used for automation usually in the industrial electromechanical space, PLCs are computers that deal with the controlling of machinery. They often handle tasks on factory assembly lines, in power stations, in distribution systems, in power generation systems, on gas turbines, and so forth.

PLCs are programmed using a computer language. Written on a computer, the program is then downloaded to the PLC via a cable (or sometimes via wireless link). These programs are stored in the PLCs memory. The hard-wired logic is exchanged for the program fed by its user during the transition between relay controls to PLC. The manufacturing and process control industries have gotten to take advantage of PLC applications-oriented software since Modicon PLCs inception.

PLC functions and security

PLCs use programmable memory to store functions and directions. Some functions and directions would include on and off control, timing and sequencing, counting and arithmetic, and data manipulation.
There are numerous types of PLCs. They can be organized into three principal categories:

Advanced PLC: Advanced PLCs offer the greatest processing power out of all the PLC types. They feature a larger memory capacity, higher input/output (I/O) expandability, and greater networking options.
Compact Controller: Compact Logic Controllers are intermediate level offerings with an increased set of instructions and a greater input/output (I/O) than a run-of-the-mill logic controller.

Logic Controller: A logic controller is often referred to as a smart relay. They are generally straightforward to use and considered a good place to begin when becoming acquainted with PLCs. They are economical for low input/output (I/O), slower applications.

Just are there are different types of PLCs, there are also different types of PLC security. PLC cybersecurity relates to how the control network links to the internet, as well as to other networks. The key cybersecurity concern for all PLCs arises because of their network connections. Perhaps for obvious reasons, PLCs on closed networks, those with no connection to the internet, tend to be more secure than those on networks with internet connections. Specifically, difficulties can arise when the PLC network is plugged into a company web server that reaches the internet. If the web server security isn’t first-rate, hackers can get access to the industrial network containing the PLCs. That’s a problem because the security measures built into well-known industrial network protocols range from slim to nonexistent. The reason is that most such protocols were devised when defense against attacks from outsiders was not an issue.

To cite a specific example, consider BACnet, for Building Automation and Control network. It is an ASHRAE, ANSI, ISO 16484-5 standard. Approximately 842 HVAC vendors now use it. BacNET doesn’t usually provide facilities for authenticating the devices that use it to communicate. If the command that’s issued over the network is valid, a BacNET device will obey it, even if it comes from an outsider with nefarious intentions. Most proprietary industrial networks behave in basically the same way.
In 2016 the BACnet committee in charge of the protocol’s definition released an addendum adding IT security concepts. Governing bodies for other network protocols have taken similar measures. But there is a delay between the issuance and adoption of security updates. So it is likely that network security will remain an issue for decades to come.

It’s possible to examine improperly configured industrial networks using just an ordinary laptop with an internet connection through use of Shodan (www.shodan.io). Shodan is a search engine that lets anyone find routers, servers, and other equipment connected to the internet. Though designed for use by web security personnel, Shodan became notorious a few years ago when news sites noticed it could be used to access unprotected traffic lights and video baby monitors. Shodan crawls the internet looking for IP addresses with open ports. So Shodan can find PLCs plugged into a company web server that reaches the internet. (Conversely, Shodan won’t see PLCs operating on their own closed networks.) When Shodan notices a port left open without password protection, or with only the default password settings, it takes a snapshot of the connection and moves on. (As a quick review, ports are pieces of software generally used by transport-layer protocols for identifying specific processes or types of network services. Specific port numbers are often used to identify specific services. Ports became necessary after computers became capable of executing multiple programs simultaneously and connected via packet-switched networks. Back when connections were strictly point-to-point, and computers ran just one program at a time, there was no need for the concept of a port.) A port is always associated with an IP address of a host and the protocol used by the communication. This screen shot is of a Shodan scan for Modbus networks we ran recently. As the image depicts, Shodan found 18,046 Modbus connections, 3,201 of which are in the U.S. On the screen are details for four of them, two in the U.S., one in Germany, and the fourth in Morocco.

In addition to cybersecurity, PLC physical security should be a priority during breach simulations, training, and exercises. PLC physical security deals with correcting default passwords, ensuring only certified individuals are in the control system’s environment, limiting access to thumb drives, and securing access to the PLCs themselves.

And not all cybersecurity attacks arise from external hackers or scammers. In fact, experts believe that only about 20% of all cybersecurity attacks are intentional and intended to be malicious. Whether or not it seems likely, an offended employee could be your hacker.

Contrary to popular belief, a modem connection could also experience intrusion and a hack.
Wireless networks, laptop computers, and trusted vendor connections could be problem areas sometimes overlooked. Keep in mind that enterprise IT departments may be unaware of factory automation equipment such as CNCs, robot controllers and, finally, PLCs.

A point to note is that some vulnerabilities are difficult to spot without examinations by security experts. A case in point is the Browns Ferry nuclear plant in Alabama. In 2006, the plant had to be manually shut down after the failure of two water recirculation pumps. An investigation found the failure arose because of a spike in network data traffic — resembling that from a malicious denial-of-service attack — that came from a malfunctioning PLC. Further investigation revealed that devices on the network were vulnerable to this sort of problem partly because their manufacturers had never tested their behavior when handling bad data.

The key to uncovering difficulties like those of the Brown’s Ferry plant lies in running what are called vulnerability and penetration scans. Vulnerability assessments generally employ an off-the-shelf software package, such as Nessus or OpenVas, to scan a range of IP addresses for known vulnerabilities. The software then produces a report that lists out the vulnerabilities found and, depending on the software, will indicate the severity of the vulnerability and basic remediation steps. Notably, these scanners use a list of known vulnerabilities – i.e. those already known to the security community, hackers and the software vendors. They won’t find vulnerabilities not yet discovered by the security community.

A penetration test resembles a vulnerability scan but goes deeper. When it finds a vulnerability, it tries to discover the depth of the problem and find out exactly what type of information could be revealed if exploited. The results are usually ranked by severity with remediation steps provided. There are commercial tools for penetration testing, but many security firms write their own.

With vulnerability and penetration scans complete, the usual next step is a risk analysis. The idea is to sit down and examine each specific vulnerability, such as a finding from a penetration test, and ascertain the risk if the vulnerability were to be exploited. For example, in the case of a PLC, a risk analysis might look at where the PLC is on the network infrastructure, the data it stores, and the tasks it handles. A PLC managing an assembly line might have a much different risk posture than one running an air handler. Vulnerability scans don’t consider such distinctions.

Next, the analysis examines threats likely to exploit each vulnerability — such as hackers, angry employees, or malfunctioning hardware — and creates a profile of capabilities, motivations and objectives. Then the analysis sizes up the impact on the company of each vulnerability. The output of the risk analysis is a risk rating with proposed methods for further reducing each risk. Managers can then decide whether to implement the suggested changes.

Finally, when a security breach occurs, time is of the essence. People who have access to the control system environment must be trustworthy. Anyone who works with the control system must be well-qualified and up-to-speed with their team and/or company.