My PLC makes an excellent web server

Supervisory Control And Data Acquisition, SCADA, is the term used for a variety of hardware and software combinations that control things. Not things like personal computers, but things like factories. Often these things are critical infrastructures, such as the power grid, transportation systems, or other wide ranging distributed control environments. Programmable Logic Controllers (PLCs) are at the heart of modern SCADA systems. PLCs read data inputs, act upon these data inputs, and set or reset outputs; they control everything from printing or packaging equipment on a factory floor to hydroelectric generators, train signalling systems, and airport parking structures. Over time, the functionality included in PLCs has increased dramatically; what used to be a simple-minded device is now an advanced computing machine with several different communications interfaces. At the same time, many (most?) PLCs now can be connected via standard Internet communications arrangements, using standard Internet protocols. To prove the point we have turned one of our lab PLCs into a general purpose - although size restricted - web server. What security issues are raised by this capability? Suddenly the information you are seeing presented by the PLC may not be correct, since the web pages might contain anything at all. Simply by replacing the factory-installed web content in the PLC we can spoof the pages in order to display whatever input or output status is desired, regardless of the actual status of the device. Can you trust what you are seeing from your control system? "No" is a bad answer! This paper provides details on a specific file system for a commercial PLC, and describes how we managed to spoof the download software to allow arbitrary files to be written into it. We wish to emphasized that our paper is presented as a do-it-yourself approach, as opposed to the usual research paper, in order to demonstrate the potential issues that arise when the firmware in PLCs can be modified.