Re: air gap - Air Gap - AIR GAP
Relying on the PLC itself for security is a bit pointless. If you can get access to the same network at all then there is all sorts of mischief you can get up to without even bothering with talking to the PLC itself.
If you need remote access to equipment (e.g. a pipeline or tank farm) then the realistic solution is as you said to put some IT grade kit on the front end to limit access.
The issue in the case presented here isn't with Modbus itself, it's with Modicon's (part of Schnieder now) proprietary extensions to Modbus. These extensions are used to configure, manage, and debug the PLC and user programs while the public standard version of Modbus just exchanges user application data.
The key vulnerability in this case is that one of the proprietary extensions allows the programming software (the IDE for creating user programs) to upload the password from the PLC so that it can validate the user password without having to query the PLC on each log-in attempt. An analogy would be if the web page to log into this comments page uploaded the password from El Reg's servers so that it could do authentication in the browser instead of doing it n the server. The problems inherent in that should be obvious, but it's common practice in the industry, not just something Schneider did.
They can then combine this with the proprietary extensions to Modbus to then reset the password which then allows access to still more proprietary features.
Part of the problem is that Modicon shoehorned the management a control protocol into the user data application protocol, a legacy of the RS-232 / RS-485 days. This forces them to jump through a lot of hoops which aren't really necessary once you are using TCP/IP as the latter allows the use of multiple protocols on multiple IP ports. They could strip their proprietary extensions out of Modbus altogether and use a different protocol for the programming software, one which was more suited to the task.
Biting the hand that feeds IT
