Modbus Overwrite in Schneider PLCs or possible security flaw?

gleen41 · ‎2022-07-18

PLC noob here. So go easy on me if I am wrong. I have seen that at some of the projects, we read the status of digital outputs of PLC to SCADA(Citect) using a Modbus Read/Write Register and performing a BITAND operation. This is perfectly fine, I assume, as you get to save a lot many tags. Now this is not where the problem lies, the issue is with the tags in PLC that constitutes the bits of the previous mentioned register. Let me try to explain, Say, I have a 16channel DO, and at PLC side (let's say Schneider M580) we have 16 tags that becomes ON or OFF as a result of logic execution and at the same time constitutes the 16bits of an integer stored in 40001. This integer is supposed to report the status of DOs in SCADA with BITAND function and also write data to the device tags with a move function which would turn ON or OFF a field device. Now if there was a device that could write data to modbus registers (40001 in our case) faster than PLC's scan cycle, wouldn't that device be capable of altering the DOs?

(I have not tested this. Neither have I done any PLC programming on my own without supervision. I am familiar with embedded devices and LabVIEW. I have seen such a code and before executing my first own project in PLC I just wanted to know if this might be possible and at the same time do tell me if this is the right way to program. As of now, what I have planned to do is write status of device tags to a register and read that register rather than going the other way around.)

https://9apps.ooo/

RoozeeR · ‎2022-07-21

Hello PLC Noob,

This is a known security risk to existing PLC applications, especially when the PLC is left completely "open". Modern PLC systems and software have the ability to prevent certain actions, but again if the PLC application is configured with all security disabled or on older systems this is a security risk. Documentation is available that show how users can prevent this from happening can be found here: https://www.se.com/ww/en/work/support/cybersecurity/resources.jsp

The document " How can I… Reduce Vulnerability to Cyber Attacks " describes this for PLC/SCADA systems.

Coming back to your question:

Writing data faster than the PLC cycle time is not possible: In a Modicon PLC/PAC the access for the communication interface to data memory inside the CPU is only accessible between 2 scans. So writing faster than cycle time is not possible.

When you write data to a Holding register (ex. 400001 or %MW1) you will overwrite the existing data. When this data is used to activate Outputs, you might set/reset outputs. This also depends on the PLC application itself. If the data of this Holding register is used as setpoint for by example a PID controller controlling temperature, you are basically entering a new setpoint.

Solutions to prevent this kind of "accidently" overwritten data can be found in mentioned documentation " How can I… Reduce Vulnerability to Cyber Attacks " and can basically be at a minimum:

- Have write protection set enabled to Holding Registers;

- Set Access Control list to prevent unknown IP addresses to connect and communicate with the CPU;

- Use network segmentation;

- Use firewalls protecting PLC communications for unwanted access;

R.Roozee
Sr Solution Architect (SAE Master)