How to Ensure a critical PLC system is free from viruses

ixo65

 

JKV JAMES

4)why did this thread lead to block my public ip of laptop to this forum access? What is the purpose of forum if blocking someone who express thier queries with courageous ?

 Do you actually believe the nonsense that you write here?

Yes. 

I have only access to limited content by clicking Accessible button. This is the case of my laptop which has been blocked. 

However, I can access forum from other device ip.

Related thread

Hello,

1) none, a PLC is by design not protected again Virus infection
PLC have a very special Operation System and nobody can program such things like Antivirus Scanner for PLC.
And never forget , alle running Antivirus protection increase the PLC cycle times!

2) start Support Request , here in the forum Members active , not SIEMENS Representative,

To get a valid statement to this question contact SIEMENS!

3) no

some other:

with Strux you mean Stuxnet or?
please read the history of the Stuxnet again. This was a very special attack against nuclear plant in iran, this "virus" was not implemented to infect all PLC worldwide, it was a special attack.

In the other thread you get a link from SIEMENS for Industrial Security.
please read and check it again.
all requirements are listed and described.

If your customer have a critical system and think that a virus can infect the plc should be think about:

should a critical system connected to internet?

Regards

Christoph

JKV JAMES

QUESTIONS ARE PUBLIC. SO WE USE FORUM TO DISCUSS. 

This is a basic question one customer asked while proposing a PLC to their critical system . This question coming from other  companies whom already installed same system with siemes PLCs from other vendors in many their plants. 

There is nothing suspecious. I am posting on Siemens website. Whomever have knowledge they can answer. This is the question everyone want to know who wish to  buy siemens PLC. If they wish to answer confidential , let them to message me in my inbox.

I have attached a news link above about virus infection on PLC in United Kingdom in 2017. My one another post about Strux virus infection in Iran's Power plant and Siemens accepted the same in around 8years back 2012 as per Wikipedia. 

So the customer companies got doubt that these PLCs are unsafe for their critical system in their plant and a virus infection in PLC can cause more critical in their plant or they may shutdown their production. 

1)What justification can Siemens give that the new PLC will not infect virus? What safety system added in PLC after 2012 and 2017 virus infection news which I have attached above link?

2)Do they confident to take responsibility if production loss happens in future due to virus attack on PLC which you were accepted as per Strux virus details in Wikipedia?

3)My question: Do Siemens PLCs got any features to distinguish a virus infection and a programming error? 

How did it confirm to accept that PLCs in Iran's Powerplant infected with Strux virus? This is for distinguishing program error and real virus. Otherwise many news may come about exaggerated PLC virus infection on Siemens PLCs. 

4)why did this thread lead to block my public ip of laptop to this forum access? What is the purpose of forum if blocking someone who express thier queries with courageous ?

 Ohhh...

What do you want from your questions on this forum?

I repeat once again, any answers to this forum are only advisory in nature, this is not a guarantee that this will be so, not a guarantee that it should be so!

If you ask:

How can I protect myself from viruses inside the PLC - you will receive recommendations

If you ask:

My PLC is already infected with the virus - we will only answer you with recommendations and suggestions why this happened!

If you want an expert opinion - invite Siemens, write them official inquiries and get official answers to them.

I and other forum participants have given you comprehensive recommendations regarding virus protection.

And I will repeat again - virus attacks on PLCs or production are not supernatural. If the customer is worried about the safety of production, let him do everything that RECOMMENDS for this, Siemens, and if something goes wrong, then write a complaint to SIEMENS that:

I did everything as you said, but they hacked me, what next? ...

We will talk with you for a long time if you don't stop waiting for something supernatural from us ...

ChristophD

Hello,

1) none, a PLC is by design not protected again Virus infection
PLC have a very special Operation System and nobody can program such things like Antivirus Scanner for PLC.
And never forget , alle running Antivirus protection increase the PLC cycle times!

2) start Support Request , here in the forum Members active , not SIEMENS Representative,

To get a valid statement to this question contact SIEMENS!

3) no

some other:

with Strux you mean Stuxnet or?
please read the history of the Stuxnet again. This was a very special attack against nuclear plant in iran, this "virus" was not implemented to infect all PLC worldwide, it was a special attack.

In the other thread you get a link from SIEMENS for Industrial Security.
please read and check it again.
all requirements are listed and described.

If your customer have a critical system and think that a virus can infect the plc should be think about:

should a critical system connected to internet?

Regards

Christoph

Hello Christoph

Thanks for reply.Appreciate for clear-cut answers to this topic.

Here my reply below.

1. Now its clear that PLC is just only a controller which can even affect virus infection. Then the usual question come like how to protect PLC from virus? I will tell a simple case, Suppose I have one S7 1500 PLC and a TP 1500 Comfort panel.Where shall I need to install anti-virus software? Does I need to Install antivirus software to HMI with windows CE?                              I will explain the possible threat to this system.                                                                               a)  USB / flash card access to the HMI for taking print pdf of data log or any other purpose.         b)  Connecting PG or any other laptop to the PLC for diagnostic or program update.                                                                                                                                                                           In scenario (a) Which antivirus software is recommend to best protect this system with Windows CE OS for PLC/HMI virus? Tell me which one if you used in any your project?                                                                                             

        In scenario(b)Some of the antivirus software are shutdown TIA portal services in programmer's laptop but I have list for antivirus software for PG station from Siemens website.

The issue that many people touch on the PLC system after commissioning a project even they may less cautious about safety and may blame to the system provider after any malfunction.Also a person can intentionally connect any device to the network which can  infect virus like Iran's power plant.   Is there any device can I propose to the customer which can protect any such virus threat?Does Scalene-s module to protect virus from PLC and HMI? 

2) Noted.Its ok if there is a best method to protect the system from such virus incident.

3) Thanks for the answer.In a business point of view, it can make fear in customer's mind after continuous fake PLC virus news which can  impact the Partner companies  sales.

Does all previous diagnostic buffer vanishes if PLC reset/format??Does it record any volume change any incident in memory card which can get as an input for virus infection?

How do Siemens team study about new threat if there is no record to understand what happens to the PLC at a critical time especially a virus attack?

 Back box in Aeroplane to record each activities .A similar concept for each incident record for PLC and network either by PLC itself or other device(Not recommended)

Stuxnet: Was it Siemens self-attack for procuring PLCs for nuclear projects? I was Joking.

Wikipedia showing data like Stuxnet spread many counties could be biased data for favoring anti-virus manufactures.Critical system not connect with internet but expect only scenarios like intentional attack or by mistake connect virus infected laptop/USB to the network.

All the points are almost very clear.I have only one confusion.I am not sure the programming laptop containing any virus even the antivirus software could not detect.I have read some comments from "Unreality" to check it by using some blocks in PLC as to check the program volume change.

Is that  method recommended by siemens  to check it existing program in critical system PLC? If I reset memory card and download the PLC program after installing a good antivirus software in PG could solve the virus possibilities in the running critical PLCs?

If reset/format memory card what will happen? Virus also go away or stay in hidden files?

Thanks for the reply.Most of the points are very clear.

In General, PLC users must take the responsibility of any virus attack to the PLC. Its not system supplier or Manufacture.

This is the point I was looking to tell the customer.

Hello James;

One point is very important in all this exchange:

Stuxnet is not and never was a PLC virus.

With the combined resources of U.S. and Israeli military hackers (presumed) Stuxnet could have been developped to affect a PLC's memory and process control, but since the PLCs and computers were not networked (to protect them from foreign infestation) it was decided that the attack on Iranian uranium enrichment plants would be spread through USB keys, directed at the WinCC components of the application, and the Windows operating system that supported it.

https://en.m.wikipedia.org/wiki/Stuxnet

That explains why Siemens cybersecurity recommendations require protection on networks that allow data exchanges with the CPUs, and good antivirus management for the PCs used to program and monitor them.

Hope this helps,

Daniel Chartier 

Hi,

 1.) there exists no such a antivrus Software.

JKV JAMES

USB / flash card access to the HMI for taking print pdf of data log or any other purpose.

JKV JAMES

 The issue that many people touch on the PLC system after commissioning

JKV JAMES

 Also a person can intentionally connect

 On a critical system? sorry if all the quoted points are possible then it is no critical system ! This more or less a open door!

2) read the allready provided liks and documentation

3) diagnostic is deleted complete, memcard data changes not logged

A antivirus SW on the PG doesn't detect a virus in the PLC program! it can only detect virus/malware/attack on the PG, not more.
If the hack is good then the antivurs see never a virus/malware or something.

After Memory reset / Format card the virus in the PLC program is deleted, only if the virus is designed to infect the PLC FW (stored inside the PLC in flash) then is possible that the PLC is infected after Reset.

You should no think about what happen if PLC is infected by virus, you should think an pla that this way is closded, so no virus can infected the systems, and for that you need measures outside the PLC, measures in the network, the access control to PLC/System ....

Regards
Christoph

Hello ALL,

I completely agree with ChristophD

Ahhh - are we still talking about this?

I’ll tell a story about how we got rid of the Stuxnet virus (restless worm) in production:

I worked in glass production and at the time this virus appeared - I was surprised - our system was also infected by it.

We had workstations and servers with PCS 7 and PLCs 400 series.

The most interesting thing is that nothing happened - the worm lived quietly at workstations and did no harm to us - he was a friendly neighbor.

When this guy made a fuss, antivirus companies stirred - and in Russia - Kaspersky released a utility for catching this worm on working computers (ARMs).

We launched the cleaning utility - and found this worm on all of our computers located in the industrial network - it was an isolated network, it was inaccessible from outside, it couldn’t be accessed, and so on.

The utility did its job, the worm was successfully removed, but where did it come from?

We were surprised, but he came to us through flash cards, and it was very tricky.

On one of the computers inside the industrial network there was access to a data card on a flash card — this was done for reports — there was an antivirus on the computer.

On the computer where the reports were later transferred, there was also an antivirus. The flash card itself did not go anywhere from production, that is, always at work.

And the infection was precisely through a computer that was on another network - which had access to the Internet ...

What does the worm itself do - scan the network and all media, spread itself to everything that was possible (then the IT service cleaned all working computers from it that were not related to the industrial network where the PLCs were)

And distributed, in parts - that is, first checked on the network of the computer where the USB flash drive was installed - whether there is a PLC in the network - or its PLC data exchange protocol (S7-protocol). If so, then the rest of the worm’s body was transferred for attack.

And there wasn’t an attack, because the worm needed to be in another country. He copied himself to the computer and was waiting in the wings, but did not have time)))

*****************************

Therefore, so that there would be no such nonsense - make a normal defense, trying to predict all possible options

Wow! Grandios discussion! 

Greetings!

JKV JAMES

How to Ensure a critical PLC system is free from viruses or not malfunction beyond the original program in future . 

 There's no way to be ensured at all until you use hardware and software which were made in other countries.

There's a few sovereign countries across the world. It's enough fingers on one hand to count them.

These countries produce modern weapon, automated weapon, of course.

What do you think they are purchasing mass-producing plc and software for military purposes?

The sovereign countries don't use Intel, AMD at all which are developed in silicon walley.

Each sovereign country developed its own CPU and respective software, data transmission protocols and so forth.

Thus there's a big chance to be not contaminated with specially written viruses and to be surprised with unexpected hardware behaviour (hardware hidden bugs, I mean).

What stand for such enormous pricy measures, try to guess by yourself.

BR