Security for PLC Updating
Devices used in control systems, in addition to the programming specific to the tasks they control, have firmware, which is a type of computer programme that establishes the lowest level logic responsible for controlling electronic circuits. In general, the firmware of the devices does not change during the service life, although there may be exceptions depending on the manufacturer and the updates or versions being published. However, specific programming of the devices does usually change during the service life, whether due to changes in its purpose or changes in the functions to be controlled or the products to be manufactured.
A control device carries out a number of functions according to a programming, which reads different values or variables and takes actions according to said values. In certain static control systems, such as a power plant or a water treatment plant, modifications to the programming are not usually required. However, other contexts, such as a car assembly line or a box factory, require the reprogramming of the control devices to adapt to new final designs frequently.
Although the old control devices required local programming, most of the new devices allow a remote update, and the safe methods for doing so are not always used.
Programming update
Programming of any control system device is usually carried out by means of a specific application of the manufacturer which is generally installed in an engineering station. This application is associated with the device and it cannot be normally used to update all system computers unless they are similar models (some manufacturers use the same tool for all their computers).
- Download of programming of a control device -
The connection between the application and the device is usually carried out by means of protocols such as Telnet or FTP, although the newest versions already use SSH. The credentials and the configuration for the connection are stored in the application in most cases and, furthermore, they are usually unknown to all operators and clients.
Moreover, many applications use different protocols to carry out the programming depending on the actions being executed at each moment, and therefore it is quite common to find traffic in IT protocols (such as HTTP, Telnet, SSH, etc.) mixed with other industrial protocols (ModBus, DNP3, etc.).
Best practice
The update of a control device should always be carried out within a controlled environment or test, where an error in the update does not mean a production shutdown and does not put other devices or the operators controlling it at risk.
In addition to using a controlled environment, the next measure that ensures the proper transfer of the new configuration is to use an isolated network without connection to the production network, such as a laboratory network or even a direct connection between the computer and the configuration application and the computer to be programmed, in such a way that the device cannot be accessed from other company networks or the internet. This way, the potential attacks for capture of information which may arise from not using encryption are limited.
If the operator is unconvinced by having an isolated network in a controlled environment in relation to the security it may provide, then it is time to use security tools, such as firewalls or IPS. At this stage, delays are not taken into account, since there are no limited critical data on time in transit, and therefore all security measures are applicable in this scenario.
If we want the update to be as secure as possible, secure protocols must be used for the transfer of configurations. In many cases protocols to be used cannot be chosen as they are directly defined by the manufacturer during the development process of the product; but sometimes the protocol can be selected, mainly among Telnet and SSH or HTTP and HTTPS.
Once the computer is updated, and subsequently tested in a controlled environment, it must be reinstalled in production. This requires disabling the configuration ports and replacing the passwords with robust passwords, so that the computer cannot be updated again without the knowledge of the operator.
Protection with security tools
Using rules both from firewalls and from IPS to allow the traffic only from a specific computer to the devices ensures that nobody different from the operator interferes with the programming.
In the firewalls rules identifying the origin and destination of the information, as well as the type of traffic to be exchanged will be used. The following type of rules will be used:
iptables -A INPUT -p tcp -i eth0 -s IP_operador –d IP_dispositivo --dports 22,80,443,XXX -m state --state NEW,ESTABLISHED -j ACCEPT |
The IPS filtering rules must be more specific, identifying which specific packages are allowed and deleting the remaining packages.
drop tcp !IP_operador any -> IP_dispositivo any (msg:"mensaje alerta";content:”contenido”; nocase;offset:12;classtype:web-application-activity;reference:url,http://incibe-cert.es;sid:1000001;rev:1;) |
PLC TBOX programming process analysis
Among our test equipment we have a PLC TBOX of which we have taken a traffic capture while configuring it.
- Traffic capture during the PLC programming -
During this process we have observed that this specific computer uses two protocols to execute the transfer of information from the development application to the computer: SSH and ModBus. With the use of SSH protocol, the PLC carries out a key exchange between the PLC and the engineering station using the algorithm of Diffie-Hellman to use a safe channel when transferring the rest of the data.
The programming process consists of different information exchanges using the aforementioned protocols, starting from a Modbus communication, using requests within the range defined by the protocol as free implementation for the developers, and by means of which all the configuration of the devices is exchanged.
- Information exchanged through ModBus protocol -
- Configuration file in XML format exchanged -
This file, if captured, may provide considerable information for the preparation of a specific attack since it provides the version of many libraries in use in the firmware of the PLC.
The programming continues with a SSH communication that, being encrypted, does not allow for the information exchanged to be viewed.
- Information exchanged by SSH -
Later the configuration file is transferred again through ModBus to execute the data exchange again, by means of SSH. The process ends with the sending of the new resulting configuration file by ModBus after the reprogramming.
Sometimes manufacturers use methods which are not laid out in the specifications of the products. For this reason it is important to carry out tests of the devices in controlled environments in order to create the firewalls and IDS/IPS rules in the appropriate way. Certain tasks must never be directly executed in production to prevent potential security breaches.
