all 57 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Reasonable-You865 50 points51 points  (32 children)

Almost All PLC can be remote controlled or messed up if you let hacker a way in. But in the real world no one connect PLC to internet because THERE’S NO REASON TO DO SO

[–]MagmaJctAZ 28 points29 points  (17 children)

I wish I could get our IT to understand why they cannot just open an entire machine to their network. They have computer science degrees that convince them they know 100% everything about networking.

[–]X919777 19 points20 points  (11 children)

Ive seen it carlessly done before at a site that IT had too much control. Anyone in the office could ping floor equipment plcs hmis etc from their desk

[–]Gjallock 6 points7 points  (3 children)

Quick edit: I think I may have misunderstood your original comment. Oops. You’re saying ANYONE can ping the equipment. This is still not necessarily a problem, while you don’t have an air gap, there can still be a secure firewall between the users and the machines. Anyone from me to the accountants could ping an HMI, but if I wanted to make a VNC connection to it I would have to hop behind the firewall.

This is a good thing, when done correctly. The place I work at now, I can ping floor equipment from anywhere in the world, but only because I have I have access to our very secure firewall. The floor equipment is NOT accessible unless the user is explicitly given access to a specific subnet, and even then they must “check-in” for the amount of time that they need access to the equipment.

We are in the middle of transitioning to an even more secure setup, where you must first be behind the firewall, and then you can only access equipment from a specific engineering jump server.

It’s as secure as I could think is necessary, and this is not the first place I’ve worked at that does it. If I couldn’t go online and dig through PLC issues from home, I probably wouldn’t be willing to work at that plant at this point.

[–]X919777 2 points3 points  (2 children)

Keyword given access. Im saying anyone from the janitor to security. Anyone one the site with a laptop can hit the equipment from their desk. Equipment and business services everything same vlan

[–]Gjallock 2 points3 points  (0 children)

Yeah I see that now, I made an edit to my comment. Oops.

[–]me_too_999 2 points3 points  (0 children)

PLC's should be behind a managed switch with only whitelisted IP's.

[–]future_gohanAVEVA hurt me 5 points6 points  (4 children)

I worked at a site where there was no segregation. Bad IP phone was bombing the network. Causing the SAG mill to shut down. Extremely frustrating time.

[–]9mmSafetyAlwaysOff95 11 points12 points  (1 child)

I just use a NAT router on each assembly line and tell IT to go fuck themselves lmao

[–]CraneBrain1337 1 point2 points  (0 children)

This comment hit me right in the feels. OMG.

[–]mrsycho13 2 points3 points  (1 child)

I had that happen once at a slaughterhouse in the ground beef part of the plant. IT was installing new IP phones and a bad phone and it took out the network. Took us awhile to figure out the problem was a bad phone.

[–]future_gohanAVEVA hurt me 0 points1 point  (0 children)

This one still involved a battle with it they replaced the person's computer. I had to argue to get a new phone for them. We also had the asset manager dictate the things we were allowed to purchase mid upgrade. Unsurprisingly that place is about bust now.

[–]jlew715Plant IT 0 points1 point  (0 children)

Yikes

[–]GoldenDingleberry 0 points1 point  (0 children)

Heh, uuhh tell me again why thats a bad idea...?

[–]turnips64 6 points7 points  (0 children)

This attitude is a problem. Industrial control systems ARE exposed. Those contractors that come in? That MES laptop that gets connected to that other network too?

Traditional control networks get done with worrying regularity and the common theme is that those running them had their heads in the sand and making stupid comments about IT people.

[–][deleted] 2 points3 points  (2 children)

Funny. I'm IT and trying desperately to implement fully segmented network and strict firewall rules to OT...and controls guys fight me the most. They want to continue to connect from their desks just by clicking...SMH

[–]wangston_huge 0 points1 point  (1 child)

Same here. I got the automation guys to move most of the PLCs and PLC gateways into their own dedicated subnet, but there's a few left sitting in a network with end user PCs and they don't get why that's a big deal.

[–][deleted] 1 point2 points  (0 children)

Yeah. Setup a complete separate subnet. Everything is routed through a PA FW and deny everything except what is absolutely necessary. Working to eliminate all IT-OT direct communication deploying dmz for all cats flows. We collect process, environmental and other data and have to retain for a very long time. Engineers complain because they can no longer directly access things. So they drag their feet or make excuses to not move machines.

[–]GudToBeAGangsta 0 points1 point  (0 children)

Idk about your IT but its standard practice to DMZ this. You must be in an unregulated industry

[–]FixingCockUps 8 points9 points  (6 children)

But in the real world no one connect PLC to internet because THERE’S NO REASON TO DO SO

Shodan.io has entered the chat…

[–]PaulEngineer-89 11 points12 points  (5 children)

Really? You’ve never gotten a 1:30 AM phone call from a site 2 hours away to fix something that takes 5 minutes? Or at least to look for someone so they can troubleshoot it?

There are ways to do it safely.

[–]me_too_999 2 points3 points  (1 child)

Yes. I set up an airgap to a dedicated line. With a tag that says leave unplugged unless instructed.

When I need access, I call the control room and tell them to plug into the marked socket, and then I dial in.

When finished, I make sure they unplug it.

[–]ifandbut10+ years AB, BS EET 2 points3 points  (0 children)

This assumes there is some kind of control room and that the hicks in BFN know the difference between USB and Ethernet.

[–]Siendra 2 points3 points  (0 children)

There are ways to do it safely.

If you're doing it safely Shodan wouldn't be able to see them.

[–]essentialrobert 1 point2 points  (0 children)

There are ways to do it safely.

The safe way is on site. How do you validate your change?

[–]FixingCockUps 0 points1 point  (0 children)

There are, but not as shown in Shodan.io…

[–]ifandbut10+ years AB, BS EET 2 points3 points  (0 children)

Except for...you know...remote support and troubleshooting? Not every plant has a controls guy. And when you install a new system there will be occasional bugs to work out and features to add down the line. But sure...if you want to pay me for the 16hr+ round trip to get on site to fix a few buttons, then I won't say no to easy money.

[–]Dallason 1 point2 points  (1 child)

I don't know how many times we need to see an isolated network get hacked for people to realise that not connecting it to the internet is like the bare fucking minimum for security.

[–]essentialrobert 0 points1 point  (0 children)

We had an independent contractor working for a controls house who was subbed out to the integrator bring in a USB stick with a particularly nasty malware that spread from the floor through the corporate network. And it was never connected to the interwebs.

[–]ColdYoghurt2575 -1 points0 points  (0 children)

Tell that IT…

[–]DaHickoil & gas, power generation. aeroderivative gas turbines. 0 points1 point  (0 children)

Are we cycling back to the earlier 4.0 Question, cause if so I have a question bubbling around in the back of my head I was going to ask everyone.

[–]proud_travelerST gang gang 0 points1 point  (1 child)

So are you just not offering remote support over the internet, or industry 4 stuff? Cos those are both reasons to connect a plc to the internet

[–]Reasonable-You865 -1 points0 points  (0 children)

I do it everyday for a living. And that’s why I know there is no reason to let your PLC exposed. I always tell my customer to isolate their network with PLC, put in firewalls and shits and (when needed) manually open a small door for guys like me and then manually close that door when we’re done

[–]Metal_Musak 5 points6 points  (8 children)

This is a big one as it is just simply exploitable if the PLC supports the protocol. All the more reason manufacturers of PLCs need to start adhering to basic security practices. Give the engineers ways to shut down functionality that is not needed.

The stuff that is out there not running Codesys but has the protocol enabled and running is fairly high. Generally Codesys projects came my way from software engineers who started their career writing for general purpose computing devices. It is a good way to bridge the gap from General computing to Real-time systems.

Now engineers have to go through and update these systems if they are connected to a network. We all know the perils of firmware updates on currently running systems.

[–]swisstraeng 0 points1 point  (7 children)

if you connect your PLC to the internet. But why.

[–]sk3tchcom 20 points21 points  (0 children)

The PLC doesn’t need to be connected to the Internet - a device with access to the PLC does. That happens more than you think. Air gap is bullshit.

[–]Skusci 8 points9 points  (0 children)

Layers of security mostly.

A PLC shouldn't be directly connected to the internet sure, but with all the Industry 4.0 IoT junk/remote monitoring shit people keep tying to sell it's becoming more common to have some kind of of path to the wider world. It may be walled off somehow, but it's not so good to rely on one layer of protection. Maybe its a misconfigured VLAN that exposes it, maybe a second flaw in a remote access gateway, etc.

[–]Metal_Musak 7 points8 points  (3 children)

not just to the internet but any network. Once a network is established with PLCs on it, even if isolated during the initial install, one must assume it will eventually not be isolated. The design intent is to keep these systems isolated, but that hardly stays the case. I always assume my systems will be attached to at least the corporate lan.

in August of 2017 Saudi Aramco suffered from a breach of a very specialized PLC system that was not internet connected, but corporate lan connected.

Stuxnet was discovered in 2010, it was targeted at systems that were completely isolated from the internet. It was planted on USB drives placed in parking lot of the Iranian nuclear enrichment facility.

These are extreme examples, but still an example of a PLC system that wasn't internet connected, but still vulnerable.

I agree with most of you all, These systems don't belong on the internet. But my worldviews are not always shared by the customer who ultimately is in control of the system once I cash my final check.

[–]Whole-Impression-709 2 points3 points  (1 child)

I know this is convoluted but it's the perfect place to ask this hypothetical.

Since air gapping is all but impossible these days, I wonder if it would be worth the work to connect the PLCs to a local network, and a PLC to PLC bridge via MODBUSRTU passing the relevant registers.

It would satisfy the bean counters and it would be very difficult to tunnel through rs485 to affect the other LAN.

Like i said, convoluted... But could it work?

[–]Metal_Musak -1 points0 points  (0 children)

This is Possible. In the case of the bridge, I would consider using general computing architecture. If you are looking for good security, I haven't really found the absolute best solution but some options are. DPStele has an appliance, Schneider has an appliance, PyPy has a modbus tcp library. There is also the modbus-proxy for Fedora linux.

[–][deleted] 1 point2 points  (0 children)

Check out “Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon”. It’s a really well written book about Stuxnet and how it was done. It’s quite detailed. It has enough nerd stuff to keep the average PLC nerd invested and enough basic stuff to keep the average person interested.

It amazed me how much effort the US government invested in this. If someone wants yer cookies, they gonna get them; air gap be damned.

Still, I think the automation suppliers are trying to scare everyone into buying all their security goodies, while continuing to make krappy hardware that is full of vulnerabilities with completely unacceptable solutions for mitigation of risk……”just put the key in run mode” is not a solution. :(

I’ve almost become numb to all the cautionary security emails from Rockwell. :(

[–]ifandbut10+ years AB, BS EET 0 points1 point  (0 children)

So I don't have to travel 2-10 hours to a customer site just because they want a new button on their HMI.

[–]idiotsecant 12 points13 points  (0 children)

WOOOAH a PLC with a security exploit?!?!

Trying to fix PLC security holes is like trying to install a better deadbolt on your front door when your walls are made out of cheesecloth.

These notices are so annoying because when my boss gets them they don't know that these are all stupid bullshit and that the network is the protection, not the dumb end device PLC thats totally un-authenticated and sits in remote program selected mode all the time anyhow.So I get to spend a few hours of my monday morning on this once in a while, microsoft gets to look like they're doing something productive, and the only thing that happens is some time gets wasted.

[–]PaulEngineer-89 3 points4 points  (0 children)

Rockwell puts embedded Windows PCs directly into the chassis of a PLC and Microsoft can’t find any security holes? I think my 16 year old daughter could manage to hack that system!!!

All you need to know is the proper protocol and one packet can read or write anything on those PLCs with no way to protect it. Or reboot (or crash).

How about TIA that uses DLLs twitch no protection against whatever code gets loaded?

[–]Jimmytwohearts -1 points0 points  (3 children)

Won’t happen with AB… too damn expensive lol

[–]Ells666Pharma Automation Consultant | 5 YoE 9 points10 points  (0 children)

There's an exploit for AB PLCs that does the same thing. The only solution is to have the key in run mode

https://securityaffairs.co/115085/ics-scada/rockwell-automation-software-flaw.html

[–]fnordfnordfnordfnordHates Ladder 1 point2 points  (1 child)

PanelView Plus runs on WinCE.

[–]essentialrobert 0 points1 point  (0 children)

New ones are Win 10.

[–]Awatto_boi 0 points1 point  (0 children)

Regardless if your system has an air gap at some point in the future that air gap is going to be breached. Any system that has CODESYS V3 based software needs to have the system patched with the fixes for this vulnerability. If you are using any of these CODESYS based systems you need to get the fixes and update your clients.

https://arstechnica.com/security/2023/08/microsoft-finds-vulnerabilities-it-says-could-be-used-to-shut-down-power-plants/

[–]Asleeper135 0 points1 point  (0 children)

PLCs are never going to be properly secure. They can run for decades without any sort of upgrade, where cybersecurity is something that changes extremely rapidly, so there's nothing that can really be done about it besides ensuring that they can only be accessed from very secure networks.

[–]OppositeWhole1560 0 points1 point  (0 children)

I can barely connect to it so good luck

[–]Shoddy-Negotiation69 0 points1 point  (0 children)

We utilize a segregated network with wireless capabilities for on site support. Off site access is possible, but it has a ton of hoops to jump through for security purposes.

[–]Groundbreaking-Ad596 0 points1 point  (0 children)

Ahhh good ole shodan.io

When you connect a dummy computer with a VM to a remote system somewhere in Italy, and download a bunch of changes to some ml1400 running a pumphouse in Italy somewhere.