An industrial control system (ICS) is used to control equipment in a local area such as a production plant, while a supervisory control and data acquisition (SCADA) system is used to control equipment in a wide geographical area such as an electric power grid. A SCADA system may be thought of as a subset of ICS.
The basic element of an ICS is an industrial controller known as a programmable logic controller (PLC). Programmed into the memory of the PLC are the operations of the equipment in the ICS. Industrial control systems began as stand-alone racks of relays that were isolated from external threats.
When PLCs were developed in the early 1970s, they were used to replace relays in control systems for automobile assembly lines; then memory reprogramming changes were accomplished with car model year changes. Today, software applications have been integrated into control systems. This added connectivity has increased the vulnerability of these systems to malicious attacks.
Malware has been developed by hackers to attack the ICS of critical facilities, such as by the Dragonfly and the Havex malware hacker groups, to destroy equipment and threaten human life. The attacks can be carried out by nation-state and non-state hacker teams with little or no risk of detection or attribution. Critical facilities include, for example, nuclear power plants, hydroelectric dams and oil/gas pipelines. An example of a destructive malware incident is the 2010 Stuxnet malware attack on the ICS of the Natanz nuclear enhancement plant in Iran. There, Stuxnet was designed to alter the programming stored on the memories of the PLCs of the Natanz ICS, to cause dangerous changes in rotational speeds of the refining centrifuges, causing 1,000 centrifuges to destruct.
Stuxnet was able to alter the programming stored on the memories of the Natanz PLCs because the memories were rewriteable. PLCs with rewriteable memories were originally developed in an era that was free of malware attacks. This rewriteable characteristic is the same for the memories of all extant PLCs in industrial control systems around the world and is the same for PLCs now being produced and sold. Alternatively, a PLC memory having a non-rewriteable characteristic, once programmed, cannot be written to again and will block malware from altering the programming stored on that memory.
Facilities seek to protect their control systems against malware attack with defensive software, including firewalls and whitelisters. Hacker teams have computerized methodologies, such as fuzz testing and using Shodan, to find connectivity paths and zero-day faults through which to reach their targets of rewriteable PLC memories.
The rewriteable memories of PLCs are fixed in place on a circuit board of the PLC, are programmed in place and are reprogrammed in place. When, instead, non-rewriteable memories are utilized in PLCs, the PLC must be configured such that a programmed non-rewriteable memory can be inserted into or removed from an exterior socket on the PLC.
Non-rewriteable data storage media are available as solid-state, non-volatile memories, which presently include SD Flash cards. These aren’t inherently non-rewriteable; they require dedicated programming steps to become non-rewriteable. Plug-in. connecting sockets are available for SD card memories, just as in consumer digital cameras.
The non-rewriteable memories of a new-design PLC must be removable and insertable, using connecting sockets in the PLC. The memory connecting socket is necessary because, once programmed, the program stored on the non-rewriteable memory cannot be rewritten. If change of programming for the memory in a PLC is needed, a new non-rewriteable memory will need to be programmed and taken by the technician to the PLC, for insertion in the socket of the PLC.
Concept PLC and operations
The concept PLC will have an exteriorly located socket for insertion of a non-rewriteable memory. The socket will have a hinged cover which, when open, will make the socket available to the technician for removal of an inserted memory and for insertion of a memory. The hinged cover will have features such as being gasketed and lockable, with the cover and lock alarmed against tampering.
The programming of the non-rewriteable memory could take place in the control room of the ICS. The memory programming methodology, and the needed circuitry for programming, will be in accordance with the manufacturer’s procedures for the type of solid-state memory being utilized. The lock-down, or write-protect, of the blocks or sectors of the memory will be instituted during the programming procedures of the memory. There will be a programming box with socket for the memory and wire to connect to the operator’s PC.
Solid-state memories, because of their small physical size or of their connecting pin fragility or of potential static electricity damage, may need to be handled in accordance with the memory manufacturer’s recommendations, using a grounded tool, when, for example, the memory is being inserted into, or removed from, a socket or being placed into or removed from a container.
After the memory is programmed, and lock-down or write-protect is performed, the data stored on a block or sector, or the entire data storage on the memory, will be checksummed in accordance with the memory manufacturer’s checksum procedure for the type of memory being utilized. The calculated datum from the checksum algorithm will be stored in the control room for record and comparison purposes.
The programmed non-rewriteable memory will be placed into a box for transport by the technician from the control room to the designated PLC. If there is a memory presently inserted in the PLC, the technician will also take a second, empty box, pre-annotated for the memory to be removed.
Before the programmed non-rewriteable memory can be removed from the PLC and a subsequent programmed non-rewriteable memory inserted into the PLC, there must be a safe, programmed shutdown of the zone of ICS equipment controlled by the PLC. The shutdown is analogous to the safe, programmed shutdowns commanded by shaft vibration monitors and set-point excursion monitors. There are factors that bear on these planned shutdowns of equipment operations.
- Critical facilities can be essentially steady-state, and thus at critical facilities PLC memory programming changes are less frequently needed, when compared with PLC memory programming changes needed at, for example, process plants.
- Critical facilities may have as many as 30 PLCs in a facility. To accomplish PLC memory changing in a critical facility, it may be that only one, or several, equipment zones need be safely shut down at one time.
- The damages that took place at Natanz show that hacker teams will develop malware to maliciously reprogram rewriteable memories of extant PLCs in process plants, as well as in critical facilities.
For the unlocking and opening of the PLC’s cover, and for the changing of the memory within the PLC, the technician can be in telephony contact with the operator in the control room, until such time as the memory-changing task is completed. The technician will remove the present memory from the PLC and place it into the empty box for return to the control room. The technician will insert the newly programmed memory into the socket within the PLC. The PLC cover will be closed and locked, and the cover lock security alarm will be set.
After the memory is inserted into the socket within the closed, locked, alarmed cover of the PLC, the PLC will be powered on, but the command for the PLC to run will not be authorized by the operator. There will first be a checksum procedure of the storage on the memory in the socket locked within the PLC, that being the memory that had been checksummed in the control room after programming procedures for that memory had been completed. This confirmation checksumming will be done by cable connection to the control room. If the checksum datum agrees with the checksum that had been calculated and stored in the control room, that would mean that the memory locked within the PLC is the specific memory and that the operator can issue the command for the PLC to run, and for what equipment in the zone controlled by the PLC is designated to restart.
The cable connection between the PLC and the control room will provide for checksumming, but will also provide for the locking and alarming of the hinged door over the memory and the socket, for the operation of the PLC and for display of the programming of the memory inserted into the socket on the computer in the control room.
Modified production PLC
Certain modern production PLCs have been evaluated by independent testing staffs and found to be free of exploits. The PLC enclosures have on their exterior a memory socket into which a non-rewriteable memory would be inserted. The wiring of the socket would be connected to the circuit board within with short connecting wires. Further modification features of a production PLC can include a hinged cover over the memory socket that is gasketed and lockable and the lock alarmed against tampering.
Control room IT tasks
The operator, in the control room, will take a new SD memory out of its box and write a pre-arranged identifying code number on the memory and write the same code number on the box. The operator will program equipment zone functional program onto the new SD memory.
The operator will program sector lock-down code onto the SD memory just programmed with the functional program. The operator will conduct checksum of memory previously programmed and record the checksum, along with the code number of the memory, for comparison purposes. The memory will be returned to its annotated box.
The technician will take the newly programmed memory in its box and also take the coded empty box of the memory that will be removed to the designated PLC. The present memory in the PLC will be removed from the socket of the PLC and placed in its coded box. The newly programmed memory will be taken out of its coded box and inserted into the socket of the PLC. The cover over the newly inserted memory will be locked and alarmed. The technician will take the removed memory in its coded box and the empty box of the just-inserted memory back to the control room for storage. While engaged in these activities at the PLC, the technician will be in communication with the operator.
The operator, in the control room, will conduct a checksum of the newly inserted-into-the-PLC- memory, after the memory is inserted into the PLC by the technician and the cover over the memory is locked and alarmed, for comparison with the previously obtained checksum of the same memory. The operator will also observe on his computer screen the programming of the memory for events such as planned shutdown.
Installer on-site tasks
The installer will install the new PLC onto the backboard to replace the old PLC. The installer will place a programming box next to the operator’s PC in the control room. The installer will place cables from the programming box down to the PLC for the tasks of remotely checksumming the memory in the PLC, for communication with the PLC for startup, for memory cover locking and alarming and for observing the memory programming on the control-room operator’s computer screen. All cables will be alarmed to detect tampering. The installer will place a cable from the PLC to the safe shutdown program device of the equipment zone of the PLC, for the purpose of shutdown when authorized for memory change.
The installer will have training classes for the control-room operator for sector lock-down programming of SD memories, for checksumming of memory when memory is in the control room and for checksumming of memory when memory is inserted into the PLC. And the installer will have training classes for technicians for removing prior memory and inserting newly programmed memory in the designated PLC, closing the cover over the memory and communicating with the control room about actions.