No one wants to see a blue screen on a Friday morning!

Not sure if folks are following the news, but a major bug has been identified with CrowdStrike Falcon stemming from a bad update. It is causing blue screens in Windows. Here is a statement from George Kurtz, CEO:

CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website. We further recommend organizations ensure they’re communicating with CrowdStrike representatives through official channels. Our team is fully mobilized to ensure the security and stability of CrowdStrike customers.

There is a manual workaround, which is scriptable:

  • Boot Windows into Safe Mode or the Windows Recovery Environment
  • Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
  • Locate the file matching ‘C-0000029*.sys’, and delete it.
  • Boot the system normally.

Just when we thought this was bad enough… Microsoft had an Azure outage. Looks like Azure Central US was down for hours. But had global impacts. Airlines and other major customers all over the world we impacted. some in India reverted to checking in passengers manually in excel spreadsheets. Also affected M365.

“We experienced a Storage incident in Central US which had downstream impact to a number of Azure services. This is currently mitigated; however, we are still in the process of validating recovery to a small percentage of those downstream services. This was communicated to affected customers via the Service Health dashboard in the Azure portal. We are also aware of an issue impacting Virtual Machines running Windows, running the CrowdStrike Falcon agent, which may encounter a bug check (BSOD) and get stuck in a restarting state. While this is an external dependency, we are currently investigating potential options for Azure customers to mitigate and will be providing updates via the status page here: https://azure.status.microsoft/en-gb/status/ as well as our Azure portal, where possible.”

Good luck everyone!

Read more

Hello All. During the last ICS Cybersecurity course I taught some of my students asked me to post some details about configuring an Allen Bradley Micro820 PLC. We use the Micro820 for our labs as it is great name-brand, low-cost PLC with onboard ethernet.  Sells for around $400 (not including the power supply)

The Micro820 programmable logic controllers (PLC) includes a nano-sized footprint and is designed for small standalone machine control and remote automation applications that require flexible communications and I/O capabilities. These controllers support up to 36 I/O points with many embedded features such as Ethernet, microSD slot for recipe and data log, and analog I/O. Furthermore, all the software and documentation needed to configure the PLC as well as create some initial programs (e.g., ladder logic, structured text, and/or function blocks) is available for download off Rockwell’s website.

Rockwell Software (CCW)

If you’re just getting started, you’ll need to install both RSLinx and Connected Components Workbench (CCW). RSLinx is installed automatically with CCW.  Do a search for Connected Components Workbench (CCW) Standard Edition.

Visit Rockwell’s site: https://compatibility.rockwellautomation.com/Pages/MultiProductFindDownloads.aspx?crumb=112&refSoft=1&toggleState=&versions=57681

You will have to create an account and login to get access to the software.  The simply download the software:

  • IMPORTANT – if you are running Windows 10 or later (which you probably are), you will need to install .NET 3.5 or the install will not work. If you have issues installing .NET 3.5, then you may need a Windows 7 VM.
  • Run the .exe file (part 1) as an administrator to extract the .rar files (part 2)
  • Open the subdirectory that was created in part 9. It should contain a file named “setup.exe.”
  • Run “setup.exe” as an administrator to install both RSLinx and CCW.
  • Unless you need one of the language packs (Chinese, Portuguese, French, Italian, German, or Spanish), I recommend installing the components/features which are selected by default.

Wiring the PLC

There are lots of ways to wire a PLC, and I have no idea which way is best for you. The method presented here is what I call “PLC on a stick,” which is exactly the way it sounds, except it’s a rail and not a stick (but you can still use it to point at people).

Think of PLC on a stick as being analogous to a microcontroller experimenter board. It works really well for the cubicle experimenter or electronics enthusiast, not so well for those in need of a legit control panel.

Before routing wires, it’s usually a good idea to put a little thought into the mechanical layout. I start with a piece of 35 mm DIN rail (say 12-18 inches) and then I find an arrangement that makes sense. For example:

Putting the power supply on the left makes sense to me because I like to visualize the input to the power supply on the left and the output on the right, but whatever works for you.

When I decide on a layout I start wiring stuff:

The terminal blocks provide a way to connect switches and indicators, but they aren’t necessary:

Connecting to the Micro820 for the first time (via Ethernet)

Ethernet is probably the simplest of the two methods, since you need only an Ethernet cable. These instructions assume you’re connecting to the Micro820 for the first time.

A new Micro820 will be configured for DHCP. This means all you have to do is ensure you’re network adapter is also configured for DHCP and then open RSLinx. RSLinx should to the rest.

  • Power up the Micro820
  • Use an Ethernet cable to connect the Micro820 to you Windows machine
  • Open the “Network Connections” screen (Control Panel > Network and Sharing Center > Change adapter settings).
  • Right-click on the Ethernet adapter you used in step 2 and select “Properties.” (If you’re not sure which adapter you’re using, just unplug the Ethernet cable and plug it back in. The adapter’s icon will change as you do so.)
  • In the “Local Area Connection Properties” window, select “Internet Protocol Version 4 (TCP/IPv4)” and click “Properties.”

  • Ensure “Obtain an IP address automatically” is selected.

  • Click “OK” to close the “Internet Protocol Version 4 (TCP/IPv4) Properties” window.
  • Click “Close” to close the “Local Area Connection Properties” window.
  • To open RSLinx Classic Lite, hit the Windows key, type “rslinx,” and press the Enter key.
  • In the list on the left, expand the list item named “AB_ETHIP-1, Ethernet.”

Read more

Microsoft has released a new open-source security tool to close gaps in threat analysis for industrial control systems and help address increased nation-state attacks on critical infrastructure.

The new tool, called ICSpector, is built on an open-source framework that facilitates the examination of industrial programmable logic controllers – a set of hardware and software components that are used for managing and controlling different operations within an industrial environment.

While PLCs are integral to industrial control systems and are used in water and power grid systems, analyzing them poses challenges because of a lack of adequate threat detection tools and a dearth of expertise in the sector, according to Microsoft. OT analysis often involves sorting through sensitive data collected from sensors and controllers, Microsoft said.

“One of the biggest challenges is retrieving the code running on the PLC and scanning it as part of an incident response to understand if it was tampered with because the PLCs are actively operating vital industrial process,” Microsoft said

Microsoft said the new tool, which is available on GitHub, can detect malicious modifications, extract the timestamp of the changes made to a system, and provide an overview of the execution flow of tasks within the system, the company said.

“Currently, the system supports three OT protocols: Siemens S7Comm, which is compatible with the S7-300/400 series, Rockwell RSLogix, using the Common Industrial Protocol, and Codesys V3,” the company said.

ICSpector: Microsoft ICS Forensics Framework can be downloaded from Github at: https://github.com/microsoft/ics-forensics-tools

Read more