The PLCs are very low powered (in computing terms) devices which has led to highly efficient but low security code being developed. Also makes deploying network level encryption very hard.

PLCs have system lifecycles of up to 25 years meaning noone is getting replacements any time soon.

To patch a PLC for many of them requires physicaly visiting them and replacing the firmware with custom written code over a serial link, not feasible in estates with 10s of thousands of PLCs across large campuses or distributed around the country.

The PLCs were originally serial, the move to Ethernet (Or a variant of) generally meant wrapping a serial protocol up in an ethernet frame. The move to IP has meant wrapping those up again in an IP packet. No consideration was given in the protocol design to the threats in an IP environment.

There are no good security testing tools for the legacy SCADA protocols in the public domain. I know some end users are scanning PLCs with standard IT vulnerability scanners like nessus and assuming that tells them something about the state of their systems. We need ModBus network fuzzers and the like. These already exist in private.

Those PLCs that have had IP stacks and web servers added are generally used for monitoring rather than control (although this is changing). In general there is a good bet that the custom IP stack will have a flaw allowing at a minimum for denial of service and the web server will be using vanilla HTTP without authentication.

Somewhere along the line the SCADA industry decided to standardise on Microsoft DCOM as the transport for their interoperable control protocol OPC. Anyone from the more technical end of security would know thats like building a malaria hospital in a swamp. Just look at the number of OPC tunneling products that have been created to get OPC past corporate firewalls or the fact that the complexity of getting DCOM based authentication working across different domains/ADs means most deployments allow anonymous or unauthenticated access for simplicity. Then look at the number of DCOM vulnerabilities found in the early 2000s and remember the OPC clients/servers haven’t had that level of scrutiny applied yet.

There are plenty of other problems but imagine the SCADA/PLC world is where the Internet was 10 years ago, many the same sorts of problems will be found and need to be fixed and at the moment there is no way to deploy those fixes or a way to deploy new versions with the built in as part of the system refresh cycle.

wg