On PLC Controllers and Obvious Statements

Monday, August 01, 2011

Infosec Island Admin


The following summary from :


by Teague Newman Tiffany Rad, ELCnetworks, LLC John Strauchs, Strauchs, LLC

A logical conclusion to this research is that our findings do not only pertain to PLC and SCADA vulnerabilities in correctional facilities, but in any high-security location that uses these technologies as well as in manufacturing plants, transportation and just about anywhere that multiplexing is used. When securing the country’s most dangerous liabilities, we encourage that more attention be paid to access control, network security/segmentation and personnel policies. And as was the case with Stuxnet, proper adherence to secure operating procedures will greatly reduce the chances of infection of PLCs and control computers from the inside and outside of a secure facility.

Wait, you’re telling me that PLC systems (SCADA) are vulnerable and there are systems out there that are rather important that are likely vulnerable because of this?


Sorry, just had to get that out of my system there. Seriously though, there is nothing new at all here with this white paper other than the fact that the prisons actually use these systems to keep the doors shut.

Sure, if someone were savvy enough to get some code together (and it seems that there were some off the shelf exploits by the wording in the document) could possibly cause all of the doors in a penitentiary to open or close.

Uh, yeah... Just like the same kinds of exploit code written for any other PLC system that is vulnerable (and lets face it, they all are) to make, say, a generator eat itself and burn up (see video here by DHS).

Or maybe say, oh, I dunno, affect the rotational speeds of centrifuges in a nuclear fuel processing center?

Oh yeah, I remember now! That’s been done!

Stuxnet, still making waves in the news cycle was an important wake up call for the general public and not so much for the security world.

Sure, the complexity and chaining of exploits (0day) to keep the Stux in the Natanz systems was APT all the way, but the concept of affecting SCADA systems adversly had been around for quite a long time.

Just ask anyone who has maybe ping sweeped a factory with computer controlled PLC’s.

Things will happen...

So, post Stuxnet, this paper and the presentation to follow at DEFCON this year seems more like a call for attention and perhaps a marketing scheme than anything revelatory befitting a talk at DEFCON. Having read the paper, it leaves me nonplussed as to why this s being presented at all.

What is surprising is that companies and entities government or otherwise have not taken steps to insure that their PLC systems are not vulnerable.

Furthermore, all those who use these systems for important functions like power regulation should in fact be screaming for security testing and upgrades to each and every maker of PLC systems. What we get though usually are excuses if not just silence


So, this paper and talk point out that prisons use the PLC’s and they are vulnerable to attack. It also makes mention that these systems seem to be connected to networks with internet connectivity!


Not much else to see here is there? These things we all know. In fact, the whole point of the Stuxnet attack was to blend it so that it would work in an air gapped as well as network environment!

So, what exactly are you saying here Strauchs’ that is telling us anything we already didn’t know? Had the writers actually come up with some plans or legislation or even a call to arms for all PLC makers to secure their products, then I would say they have something to hang their hat on... What you get here is “ho hum”

“Many places use PLC’s to control their operations”

“Many of those places connect their systems to networks with internet connections”

“The majority of PLC code is vulnerable to attack!”

Wait… Is that the CAPTAIN OBVIOUS sign in the sky over Las Vegas!?!?

See you there.


Cross-posted from Krypt3ia

Possibly Related Articles:
Network Access Control
Information Security
SCADA Vulnerabilities Stuxnet Network Security Programmable Logic Controllers DEFCON
Post Rating I Like this!
Chris Blask There is a lot of repetition at this point in an adoption curve, and it isn't all bad. Your critiques resonate, however for many at most such talks a reiteration of what folks paying attention already know is often exactly what is needed (DefCon perhaps less so, but still...).

It serves a purpose, though, and not just educational. All the smart-mouths who think they know a large part of the solution (myself included) have to go to wider and wider audiences with that Grand Wisdom. Sometimes during this part of the cycle those 'outside' the inner circle of experts add some context that is critical in itself (from the Mouths of Babes, so to speak).

There is still a lot (lots and lots) of really interesting fun work to be done at the edge of common knowledge in this space, but there is a lot of Rinse and Repeat that needs to be done. This talk, I agree, is more the latter than the former, and bless their hearts for giving it (so you and I don't have to ;~).
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.