Omron Security FAIL

Join Date
Feb 2007
Location
HB, CA
Posts
18
After reading too much about Sony, I decided to do a little investigation into the security of our facility. Googling "Omron PLC Security" returns a very scarey-nieve whitepaper as the first result.

This official Omron whitepaper claims that Omron PLCs are secure because hackers don't use FINS. However, I figure it would take me a few hours to write a kiddie-script Omron port scanner, and probably less than an additional day to figure out how to do something malicious! Furthermore, even password protected Omron PLCs seem to lock-out after a few login attempts, which would make a DOS attack trivial to implement.

Am I the only one who gets sick to their stomach reading something this stupid??

http://echannel.omron247.com:8085/marcom/pdfcatal.nsf/0/7CC1E9D8D2A1C3BF862573760063920C/$file/InternetAccessToPLC_whitePaper_en_200910.pdf

"The question becomes: ‘what security risk does this pose to the customer’? The answer is fairly simple: the security risk is very low"

"When a router is forwarding a TCP or UDP port to an Omron PLC, the traffic is being delivered to a non Windows based operating system. This makes the PLC impenetrable to standard hacking methods. The PLC will only respond to Omron FINS (Factory Intelligent Network Services) commands, not standard
Ethernet protocol commands."
 
It's common sense to block port 9600 and not allow internet access to Omron PLCs, but that is not what this official Omron whitepaper recommends! The fact that they go on to claim that this is safe is mind boggling!

I'm not even particularly confident in the single line of defense of a firewall/router. It's still trivial to combine some off-the-shelf malware with a PLC port scanner to attack from the inside the firewall.
 
And 'security by obscurity' works so well.

And of course no hacker knows how to use Google to look up 'Omron FINS protocol'

Good luck with that Omron.
 
To be fair, that white paper is copyrighted 2009, a year before Stuxnet was publicized. It doesn't make it any less wrong, but I don't think too many PLC vendors were giving better advice at the time.

I would hope that more recent documentation would have better advice, but the fact that it is still available is a whoopsie.
 
Encryption is easy and the antiquated trade laws that used to make shipping complicated are slowly going away. The big issue right now is how to authenticate; a password is the obvious and most troublesome answer. An older machine goes down, you need a password to connect, no one at the end user has it and the guy at the OEM that wrote the program is dead/at a different job, PLC makers says there is no back door for security reasons, and everyone is screwed. In the end, everyone will be pointing at everyone else and PLC makers don't want to be pointed at. They'd rather tell you to setup a firewall and wash their hands of it.

PLC makers certainly don't want to maintain a database of passwords, so there probably won't be a "Forgot your password?" button. Physical dongles would be a nightmare for remote support. Bio-metrics is no better than passwords in the long term. How do you authenticate in a way that allows people to connect when all authentication knowledge has been lost to employee turnover and filing system changes?

I think a good compromise would be for the PLC to be able to display a temporary connection password locally (on the HMI at boot, or directly on the PLC with an LED display or LED blink code). Even better, have it write a time sensitive key file to a USB stick that you can email to the OEM. So if Wind River or any PLC maker is reading this, it's a workable solution to people losing passwords. It requires physical access to the machine cabinet and knowledge on how to get the password/key out of the PLC.

EDIT: What I'm saying is security on PLCs is terrible because if it was better, end users and OEMs would end up locking themselves out and calling/litigating the PLC makers. PLC makers don't want to deal with the calls/litigation so they skirt the issue.
 
Last edited:

Similar Topics

Hello, I have an Omron NJ101-9000 and am using Sysmac Studio. The PLC has CPU unit write protection. It is easy to set up and works well...
Replies
1
Views
1,448
Hi There. I have PC to get few tags from PLC into C# windows forms application. What is the best and fastest way? I could not find Omron in...
Replies
3
Views
160
Our plant manger/my boss wants each line to display the takt time above the line. I am trying to research the cheapest way to do this. Our plant...
Replies
3
Views
166
Hello everyone. I am new when it comes to Omron PLCs. Currently I'm uploading program from CJ1M PLC using CS1W-CIF31 cable only. I connected the...
Replies
2
Views
98
Hello ! I am trying to use an omron cj2m-cpu33 with a CP1W-CIF01 plug in serial connector to talk to a zebra ZT610 printer. I am getting the data...
Replies
8
Views
316
Back
Top Bottom