Plc Scan Time

Hard-Coded Password and Other Security Holes Found in Siemens Control Systems

LAS VEGAS — A security researcher has uncovered a slew of vulnerabilities in Siemens industrial control systems, including a hard-coded password, that would let attackers reprogram the systems with malicious commands to sabotage critical infrastructures and even lock out legitimate administrators.

The vulnerabilities exist in several models of Siemens programmable logic controllers, or PLCs — the same devices that were targeted by the Stuxnet superworm and that are used in nuclear facilities and other critical infrastructures, as well as in commercial manufacturing plants that make everything from pharmaceuticals to automobiles.

Stuxnet was discovered on systems in Iran last year and is believed to have been aimed at destroying uranium-enrichment centrifuges at the Natanz nuclear facility in that country. It targeted Siemens Simatic Step7 software, which is used to monitor and program Siemens PLCs. It then intercepted legitimate commands going from the Step7 system to PLCs and replaced them with malicious commands aimed at sabotaging processes controlled by the PLC; in this case the spinning of centrifuges.

The newly discovered vulnerabilities go a step further than Stuxnet, however, in that they allow an attacker to communicate directly with a Siemens PLC without needing to compromise, or even use, the Step7 software.

One of the most serious security holes is a six-letter hardcoded username and password — both “Basisk” — that Siemens engineers had left embedded in some versions of firmware on its S7-300 PLC model. The credentials are effectively a backdoor into the PLC that yield a command shell, allowing an attacker to dump the device’s memory — in order to map the entire control system and devices connected to it — and reprogram the unit at will.

“I was able to log in via telnet and http, which allowed me to dump memory, delete files and execute commands,” says Dillon Beresford, the security researcher with NSS Labs who discovered the password, and at least a dozen more subtle security holes.

Beresford had planned to discuss a few of the vulnerabilities at TakeDownCon in Texas in May, but pulled the talk at the last minute after Siemens and the Department of Homeland Security expressed concern about disclosing the security holes before Siemens could patch them.

Since then, he discovered additional vulnerabilities in several models of Siemens PLCs that would variously allow attackers to bypass authentication protection in the PLCs and reprogram them, or issue a “stop” command to halt them. They all require the attacker to have access to the network on which the PLCs run. That might be accomplished by infecting a legitimate computer on the network, such as with a phishing attack targeted at an employee, or through an infected USB stick — the method Stuxnet used.

Logix Architecture PLC-5 and SLC 500

The processor of PLC-5 and SLC 500 map memory of I/O into data table files of I and O. The data of I/O is keep informed synchronously to the scan program so you recognize you have present values every time the processor starts a scan. A controller of Logix indications I/O which is updated asynchronously to the scan of logic. Use the instruction of CPS (synchronous copy) to make a data buffer of I/O to utilize for fixed values through execution of logic and update the buffer as wanted for a controller of Logix. You have to add instructions to copy the data of I/O into the arrays of I and O after the conversion is finished. Perform this at the starting or ending of a program to buffer the data so that it is accessible synchronously to the scan of program. The processors of PLC-5 and SLC 500 save all data in the tables of global data. You entrée this data by identifying the data address you want. A controller of Logix supports data that is local to a program and data that is worldwide to all the jobs within the controller. A controller of Logix can also distribute data with other controllers, and rather than addresses, you utilize tags to access the data you desire. Each data table file of PLC-5 and SLC 500 can save some words of associated data. A controller of Logix utilizes arrays to save associated data. The tool of translation converts the data table files of SLC 500 and PLC-5 into arrays of Logix. The timers of PLC-5 and SLC 500 are depending on their architecture of 16-bit and can contain dissimilar time bases. A controller of Logix is based on its architecture of 32-bit and only supports a 1 ms time base. The tools of translation convert the timers of legacy as they best fit into the architecture of Logix. Converted timers may need rework to guarantee they run correctly. The processor of PLC-5 supports the instructions of block-transfer write and read (BTW and BTR), MSG (message), and CIO (ControlNet I/O) instructions. The processor of SLC 500 supports the instructions of MSG. The controllers of Logix support the instructions of MSG. The tool of translation converts the legacy instructions of BTW, BTR, and MSG into the instructions of Logix MSG. Any instructions of CIO are not converted. You have to organize the instructions of MSG so that they operate properly and rework any instructions of CIO once you import the converted logic.

Instrument Engineers' Handbook: Process control and optimization

Robotics Technology And

Microcontroller: Features and Applications

Sensors Handbook

Electrical engineer's reference book