A
List members: I've read numerous messages over the last couple weeks about people plugging their PLCs and associated doo-dads into the Internet, and I have a question. Have you guys ever thought about: 1) Security Holes 2) Vulnerability to denial-of-service attacks -- Security Holes Most all software that has been used on the internet does indeed have some security holes. In the case of open-source software, like Apache, bugs are fixed by people looking at the code and going "Hey! That's not right." In the case of closed-source software, like Microsoft's IIS, bugs are fixed by people telling Microsoft, and them fixing it. Given that we don't have access to the code running in these web modules or what have you attached to the Internet, we're all stuck in the "hope no one finds any bugs" mode, and after that the "hope no one finds my device" mode. There's a risk there, but I would say that there's such a miniscule amount of these devices on the web, that the chance of one being hacked into is minimal, because no one will bother. -- Vulnerability to denial-of-service attacks This is one that I think is much more critical, because I actually managed to do this. A motion controller from a company that shall remain nameless has an ethernet adapter, and TCP/IP support. Being the inquisitive type that I am, I fired up a linux box, and port scanned the motion controller using nmap. The result: The motion controller's interface hung. It stopped. I couldn't ping the thing anymore. I couldn't access the thing through the serial port anymore either. I didn't have any motors plugged in, so I couldn't tell whether or not that part was still functioning. I contacted the company the makes the controller, told them what I did, and their response was... "We don't support Linux" This was despite the fact that Linux wasn't the problem... the port scan that hit the ports on the controller crashed it. I can get port scanners for every OS, and its not uncommon for machines on the internet to be portscanned. My dynamic dialup connection gets port scanned on a regular basis! So now the questions are... What type of testing are you any of you guys doing on devices that you're hooking up to the internet? What type of testing does the manufacturer of the equipment do? Do they realize that plugging a device into the Internet means that its going to have to have a much more robust communication stack than before? I would be extremely interested to hear your thoughts on this matter. Alex Pavloff Software Engineer Eason Technology