# Control Systems and Internet Connectivity



## mgraw (Jan 14, 2011)

I just did some work in a new bank branch. The AC, security cameras, sign, and electrical panel are all connected to the internet. They can be both programed and monitored remotely. This branch is being used as a prototype to determine what they like and don't like for future branch construction and upgrades.


----------



## oliquir (Jan 13, 2011)

i have some clients that i have access via teamviewer to their scada system pc for fast troubleshooting and programming acess.


----------



## GrayHair (Jan 14, 2013)

Network communications are great, but there can be pitfalls. Ran a lot of service calls because customer's IT group(s): 


Failed to keep track of reserved (dedicated) IPs required by security equipment;
Reconfigured networks making dedicated IPs unreachable "islands" (always on weekends, IIRC), and;
Failed to keep track of ports opened for security equipment.
But not all problems come from the customer's IT. After retiring I was called several times to help when an ISP (cable company) closed ports we needed.


----------



## just the cowboy (Sep 4, 2013)

*Germany can get into our machines*

We use a dedicated line over internet so Germany and another machine manufacture can get into our new machines. We had to get a program change done that way already but it only gets plugged in when needed.


----------



## danhasenauer (Jun 10, 2009)

BACnet over IP protocol. Lot of installs for a large automation systems manufacturer.


----------



## Jabberwoky (Sep 2, 2012)

The controls are not directly linked to the internet but we can access a PC connected to the equipment with Teamviewer. The machine makers can make program changes or monitor the equipment but this is very rare.

Our environmental DCSs and lighting have web based apps though.


----------



## mgraw (Jan 14, 2011)

On the job I referenced in post#2 the AC, security cameras and electrical panel were "Ethernet ready." Assign an IP, open some ports, run cat 6 and they were connected. The sign was a bit of a disappointment in that it required a pc and third party software to connect.


----------



## triden (Jun 13, 2012)

You have to think, what are the repercussions if someone was to gain access to your plant? In 2009, the Stuxnet virus (targeting Siemens controllers) entered a Uranium enrichment plant and gave malicious users control. If you run a sewage treatment plant, of course the stakes won't be as high.

The problem with control systems and automation is that IT does not understand it and most likely has no idea how to adequately protect/harden it. Next time you see your IT guy, ask him how you should secure your SCADA system and he'll probably reply with "what is that?". SCADA software is straight out of the DOS days of the 90's and is sometimes still as cumbersome. For instance, iFix still sends clear text passwords over the network, keeps local user hashes on the PC that are simple to break and many other things that would make it DEAD simple to break into. If you can help it, try to keep your SCADA nodes off the internet. Worst case, use an IPSEC VPN to enable remote access.


----------



## splatz (May 23, 2015)

That's the thing. You think about it a sewage treatment plant might not be radioactive but it still could make a mess. 

I worry about the security of some of the remote access software too. It's so useful it's hard to resist but who knows what vulnerabilities are in there? GoToMyPC is from Citrix, a fairly known quantity, but TeamViewer etc. ... not so sure.


----------



## danhasenauer (Jun 10, 2009)

triden said:


> You have to think, what are the repercussions if someone was to gain access to your plant? In 2009, the Stuxnet virus (targeting Siemens controllers) entered a Uranium enrichment plant and gave malicious users control. If you run a sewage treatment plant, of course the stakes won't be as high.
> 
> The problem with control systems and automation is that IT does not understand it and most likely has no idea how to adequately protect/harden it. Next time you see your IT guy, ask him how you should secure your SCADA system and he'll probably reply with "what is that?". SCADA software is straight out of the DOS days of the 90's and is sometimes still as cumbersome. For instance, iFix still sends clear text passwords over the network, keeps local user hashes on the PC that are simple to break and many other things that would make it DEAD simple to break into. If you can help it, try to keep your SCADA nodes off the internet. Worst case, use an IPSEC VPN to enable remote access.


IT will never understand it. They usually mumble something like "uhhh, here's your port number..." and then you never see them again. I think the whole Stuxnet attack was a US Govt. cyber attack on Iran and Siemens was most likely in collusion with the Gov. The systems we install/upgrade are all VPN, key-required systems.


----------



## emtnut (Mar 1, 2015)

A properly protected system, even if you were to find an IT guy who 'gets it' although extremely difficult, can still be hacked. Although the weakness usually comes sometime down the road when modifications are made.

"THE" question you have to ask yourself is what are the consequences if it did happen. IMO anyways  ... but I've got a lot of miles on me, and don't trust sH!t anymore :no:


----------



## Mountain Electrician (Jan 22, 2007)

We use TeamViewer occasionally.


----------



## JRaef (Mar 23, 2009)

I worked for Siemens at the time of Stuxnet, everyone knew how it got in and it had nothing to do with the Internet. Iran was restricted from buying the software so they used illegally hacked copies. Because of that, their programmers could not get Tech Support from Siemens, so they used freelancers that brought their own illegal copies of the software with them using jump drives. One (or more) of those carried the Stuxnet worm, which most likely was released by the Israelis, not the US directly. Did Siemens know and collude? Probably not, that worm cost them an estimated $2 billion in losses at that time, the CEO even stepped down shortly thereafter, though technically not just for that reason. 

Ethernet networking of control systems does NOT automatically mean INTERNET connectivity by the way. Ethernet is just a high speed medium for transmitting the data reliably. Many good Ethernet based control networks have extensive security protection levels that make access all but impossible from outside of the facility. Internet connectivity can be restricted by simply providing no physical connection to any outside line. The bigger risk really stems from inside with people using jump drives and other portable media.


----------



## splatz (May 23, 2015)

JRaef said:


> Ethernet networking of control systems does NOT automatically mean INTERNET connectivity by the way. Ethernet is just a high speed medium for transmitting the data reliably. Many good Ethernet based control networks have extensive security protection levels that make access all but impossible from outside of the facility. Internet connectivity can be restricted by simply providing no physical connection to any outside line. The bigger risk really stems from inside with people using jump drives and other portable media.


I have heard a few different stories about how stuxnet infiltrated, the jump drive is an interesting possibility, I have also heard of infected copies of bootleg software being seeded on the peer to peer sites. If that was the case the software itself was polluted, didn't matter how it got from here to there. 

Keeping control networks separate is doable, but if there's remote access for troubleshooting, it's really not separate enough to say it's impregnable.


----------



## MechanicalDVR (Dec 29, 2007)

The only job I have ever heard of being hacked was a new police, jail, court complex. All the heat was maxed out in the police and dispatch areas and jail a/c was the only comfortable area.


----------

