PLC Hacking - More Commonplace Than You Might Think

[Pendalar]

Wasn't certain where to drop this but... woke up to a coworker texting me the attached photo.  Luckily they renamed the PLC to "GAZA" and didn't actually do too much damage. 

[stembera]

Hello Pendalar, I have exactly the same incident on V570. Probably there is a security flaw in PCOM protocol, vulnerable if PLC is contacted via internet. I am planning to change all PLCs names, change number of service ports and hide PLCs behind the VPN. I will have a meeting with security expert today evening so I hope I will get more informations.

Please keep us informed about the situation development, if possible. Also, in case of need, feel free to contact me directly.

[Pendalar]

I'm afraid I can't supply much on the how-this-happened end due to the lack of logs per our IT's router settings and such.  I can verify, however, that we had the same PLC names for ~6 years on that particular PLC, fairly standard service ports reachable via the internet, and our PLCs were not behind a VPN.  Probably was asking to be hacked I guess with that setup 😅

On the repair end, I updated the PLC name in the programming suite to GAZA after reviewing Info Mode, flashed a current BIOS / full wipe, and then downloaded/burn.  Was a quick repair once I understood what was going on.

Preventing a reoccurrence however, will be new ground for me / semi-hand tied on the upstream security due to IT policies.

[Flex727]

@Cara Bereck Levy, I don't see anything in the Help file that indicates exactly what special characters are allowed or disallowed for the PLC Name. Since this is essentially the password for remote communications, could we get this spelled out so that we can take the appropriate action to secure PLCs in the field?

Thanks.

[Pendalar]

@Flex727 I haven't thoroughly read all the various news articles to see if there are any details about how exactly the attack works, but I'm wondering if the exploit necessarily needs brute-forcing the PLC name.  If it doesn't, I wouldn't imagine setting it to an extremely long name with only special characters to necessarily help secure it in this case. 

Obviously couldn't hurt regardless 😥

[Flex727]

8 minutes ago, Pendalar said:

I'm wondering if the exploit necessarily needs brute-forcing the PLC name.  If it doesn't, I wouldn't imagine setting it to an extremely long name with only special characters to necessarily help secure it in this case. 

True, but I'm having difficulty imagining another point of attack. If there is, then Unitronics can circumvent with a firmware upgrade.

[Simon]

The most secure way to prevent this is with a VPN. Unitronics have UniCloud, but there are 3rd party options as well.

 

[Pendalar]

After giving it some thought and strictly speaking about internet reachability, we would only need the following to likely be secure enough:

iOS/Android Remote Operator app connections to the non internet reachable PLCs via passing through a secure connection to an internet reachable work PC that has a static IP (internet and intranet) 

Would you still recommend a full VPN solution?  I'm thinking this could be done with various proxy or tunneling methods but would appreciate some pointers / how to links that should serve the purpose with some light modification.  It's possible there is some functionality in the router we used by I don't have access currently to dig around.

[Simon]

You could have a local PC talking to the PLCs via the intranet, running the PC version of Remote Operator.

They key point is then how you access that PC from the internet. If you use port forwarding and a public IP then the old problem still remains. However with a PC involved you have access to more secure methods such as TeamViewer or AnyDesk. This would mean connecting to that PC from the iOS/Android tablet, then operating the Remote Access app remotely using the iOS/Android device. This can be cumbersome if done on a phone, but not so bad on a tablet.

I'll give another plug for UniCloud, as it now allows creation of a dashboard sized specifically for mobile devices.

The UCR router supports 3rd party VPNs, you would just need to have a server set up with your chosen VPN installed.

In terms of what I recommend, I'm just saying a VPN (or similar) is the most secure. Public IP and port forwarding is just about the least secure. I'd suggest considering multiple factors such as:

* who will use the system and what is their expertise and comfort level with tech?
* who will maintain the system, in-house experts or outsourced?
* how frequently will it be used?
* will it be monitor-only or monitor and control?

Look at your available options and assess how well they fit the intended use. From experience I'd suggest that unless you are already an expert in VPN setups, pay for a professional service rather than try to teach yourself how to set up and manage a "free" system. That's just my opinion though 🙂

 

 

 

 

[Flex727]

Saw a report on ABC News this morning about a drinking water pumping station in Pennsylvania being hacked. The photo was clearly a Unitronics V570 PLC. Unitronics, among others, is being targeted and we need to be acting immediately to prevent more occurrences. We need some guidance from Unitronics right away.

[Pendalar]

Has there been any official word from Unitronics on this?  Still curious if this widespread method is fixable via BIOS update and, if so, ETA.

[Joe Tauser]

I've had a couple of customers hit by this.  I've been in communication with Unitronics and the problem has understandably been promoted to top priority.

Their position right now is a VPN is the way to go. 

 

Joe T. 

[swb311]

Anyone affected by this hack had port 20256 forwarded to their public IP. 

It's literally because the programming port is forwarded to the internet,  doesn't even really qualify as a hack.  If you get hit by this you should fire your networking guy.

[Flex727]

38 minutes ago, swb311 said:

Anyone affected by this hack had port 20256 forwarded to their public IP. 

It's literally because the programming port is forwarded to the internet

It's actually the exact opposite. The router is set to forward port 20256 from their public IP address (WAN) to their to their private IP address (LAN). This is actually fairly common, and while it's not secure, it's generally okay because there is little incentive (profit motive) to hack in these situations. Tensions in the ME provided the incentive absent a profit motive.

It's a good lesson learned here - avoid using default settings.

[swb311]

24 minutes ago, Flex727 said:

It's actually the exact opposite. The router is set to forward port 20256 from their public IP address (WAN) to their to their private IP address (LAN). This is actually fairly common, and while it's not secure, it's generally okay because there is little incentive (profit motive) to hack in these situations. Tensions in the ME provided the incentive absent a profit motive.

It's a good lesson learned here - avoid using default settings.

Please forgive my oversimplification of the issue.  I've been awake since early Thanksgiving morning trying to get wells back online that were affected by this hack lol.

[Pendalar]

Saw this today while taking a breather after completing our VPN transition:

https://www.msn.com/en-us/news/technology/suspected-iranian-cyberattack-on-key-us-infrastructure-probed-by-security-agency/ar-AA1kNaqW?cvid=574519f6e11441188c139bf181aca0e2&ocid=winp2fptaskbarent&ei=103&sc=shoreline

[kurt_pf]

Same Problem  at v130.

How can i reset the plc ?

[Fernando Castro]

On 11/27/2023 at 5:16 AM, stembera said:

Hello Pendalar, I have exactly the same incident on V570. Probably there is a security flaw in PCOM protocol, vulnerable if PLC is contacted via internet. I am planning to change all PLCs names, change number of service ports and hide PLCs behind the VPN. I will have a meeting with security expert today evening so I hope I will get more informations.

Please keep us informed about the situation development, if possible. Also, in case of need, feel free to contact me directly.

Using PCOM protocol you only need the IP, and it is easy to get once you are in the network

[Fernando Castro]

On 11/27/2023 at 10:27 AM, Flex727 said:

@Cara Bereck Levy, I don't see anything in the Help file that indicates exactly what special characters are allowed or disallowed for the PLC Name. Since this is essentially the password for remote communications, could we get this spelled out so that we can take the appropriate action to secure PLCs in the field?

Thanks.

I see that  I am joining late. but I think you could bypass the name with the PCOM protocol.

Since I no longer work with Unitronics I don't have access to the old software that I developed with PCOM dll but I am 99% sure it can be bypassed

Edit: yes, you don't even need to know the name, and in fact you can retrieve the PLC name using this method.

Once you get the PLC name then you can do a new blank download.

[Ausman]

12 hours ago, kurt_pf said:

Same Problem  at v130.

What is the 130 showing? 

What is it doing?

Do you have the .vlp file that was already loaded in the PLC?