Affected Systems Include: Allen-Bradley PLC’s/HMI’s
- Internet Access
- Web Browser for searching the Shodan IoT database
- RSLinx Classic/Lite Software – Free Download Here From Rockwell Software
- RSLogix 5000 – by Rockwell Automation (v20 used for this demonstration)
This guide will demonstrate the immediate need for a change in the way that non-security conscious Controls Systems Integrators access and install their equipment. There is a general gap in knowledge between Systems Integrators who are programming the PLC’s, HMI’s, and SCADA systems and their IT counterparts when dealing with new or updated systems at manufacturing facilities. The Integrators generally do not have the knowledge or mindset needed to set up a well secured system. Integrators usually are concerned only with being able to access the control devices (PLC’s, etc) remotely to alleviate additional trips onsite, which can be a costly endeavor over time, and to also provide quick support for their customers.
This approach has left many unprotected controls system devices wide open on the Internet available to anyone who would wish to misuse them. These systems can include critical infrastructure, school systems, manufacturing facilities, car washes, etc.
The PDF version of this guide is available here
- Navigate a web browser to the SHODAN search engine https://www.shodan.io/
- Type the following text into the search field; 1769-L32E
- Press the “Enter” key to display the search results. The results should resemble the following;
Here is a close up of one of the results.
The search has clearly identified an Allen-Bradley 1769-L32E CompactLogix Processor that is directly connected to the Internet at the IP address on the left hand side. We now have all the information needed to connect to the PLC.
- Install the Rockwell Automation programming software, RSLogix5000 and RSLinx (Classic or Lite), with the default options checked.
RSLogix5000 installation should look like the following;
Note: RSLogix5000 software is generally packaged with RSLinx Classic. RSlogix software does require a valid activation to be present, however, the software will run in a fully functional grace period of 7 days starting from the first time the software is started. If the software was installed in a virtual machine, it would now be a good time to make a copy of the VM before opening any of the newly installed Rockwell Software. That way, the 7 day grace period hasn’t been activated yet and there would not be a need to sit through software installation again in the future if there was a saved “base” copy of the VM. Then use the new copy as a “working” VM.
- Open the start menu and run “RSLinx Classic” located in the Rockwell Software folder.
Once RSLinx opens it will look like the following picture;
- Now we need to configure a new Ethernet Driver. Click on “Communications”, then “Configure Drivers…”
- Click on the drop down and select “Ethernet devices”. Then click the “Add New…” button. Type in a name for the driver if you wish then click “OK”.
Now the following dialog box will be displayed;
- On the Station 0 line type in the IP address of a PLC found in the previous steps using the Shodan web site and click “OK”. Multiple device IP addresses can be added here to be able to browse many devices at the same time by clicking the “Add New” button. A new line will be added to the table for the user to enter an additional IP address.
- Once the dialog box closes you will see all the drivers configured and their current status. Our newly created Ethernet driver should have a “Running” status. Click the “Close” button.
- Click on the new Ethernet driver to start “Browsing” the network for the IP addresses previously added. In this case the driver has the default name of “AB_ETH-1, Ethernet”. Once the driver is highlighted it will begin to browse for devices. The small icon to the left of the name will begin to flash showing that it is actively browsing the network.
This image shows another typical setup for RSLinx with multiple drivers and devices defined.
- To verify that the PLC is actually “Live” on the network, the IP address entered into the driver must not show up as a yellow question mark with a red X over it. When that happens it means that there is no connection being made from RSLinx and we cannot go any further with that particular IP address.
The device should show up similar to the following image;
- Open the start menu and run “RSLogix 5000” located in the Rockwell Software >> RSLogix 5000 Enterprise Series folder.
- The following popup will be displayed indicating that activation has failed and the 7 day grace period has been activated. Click “OK”
- RSLogix 5000 will continue to open and look like the following image;
- Click on “Communications” in the top menu bar and select “Who Active”
- The “Who Active” dialog box will be displayed. Select the Ethernet driver that was created previously in RSLinx (AB_ETH-1, Ethernet). When the network has been browsed properly, sometimes it take a few seconds depending on the network, click on the IP/device to highlight it.
You will need to keep hitting the “+” next to the device name to expand the tree down a couple more layers until the actual Processor can be highlighted.
An example of the process would be “00, CompactLogix Processor, PLCNAME”
- Once the Processor is correctly selected the “Go Online” button will not be grayed out. Click “Go Online”
- RSlogix 5000 will not attempt to go online with the processor. The following dialog box will be displayed indicating that you do not currently have an offline project to use and will need to create one. Click “Select File”.
Enter a file name to use and click “Select” and then click “Yes” at the next prompt. This will create a new file to use while online with the processor.
- The project will now be uploaded from the processor and a progress bar is displayed. This may take a few minutes to complete depending on connection speed and the size of the project.
- Once the upload is complete RSLogix 5000 should now be Online with the processor. This will be evident by the status indicators in the top left of the application. If the indicators are green and the gears animation is spinning then RSLogix is actively online with the processor.
Things such as Controller Tags, Program Tasks, Hardware, etc are all accessible through the project tree on the left hand side of the application.
From this point the running code in the PLC can be modified while online, new tags can be created, Physical Inputs and Outputs can be Forced ON/OFF, configurations can be changed, and the processor can be placed in Program mode which effectively turns the processor off so there is no logic running.
As stated previously, this write-up was created with the intention of showing how easily accessible Industrial Controls Systems currently are in this era with the hopes that this can be an eye opening experience for everyone in the industry. We all need to make sure we have properly trained Systems Integrators, Information Technology staff, and maintenance personnel working on our critical infrastructure controls systems.