Allen-Bradley HMI – Unprotected Remote Access And Network Discovery using FactoryTalk View Studio ME

 

Affected Systems Include: Allen-Bradley PanelView HMI’s

Rockwell_website_02

 

 

Requirements:

  • Internet Access
  • Web Browser for searching the Shodan IoT database
  • FactoryTalk View Studio ME (Machine Edition) – by Rockwell Automation (v8.00 used for this demonstration)

Focus:

Target Allen-Bradley PanelView HMI’s (Human Machine Interfaces) which are directly connected to the Internet and show how easily such systems can expose a critical infrastructure device or process.  Network and Process discovery using the HMI application.

Introduction:

This guide will demonstrate the immediate need for a change in the way that non-security conscious Controls Systems Integrators access and install their equipment.  There is a general gap in knowledge between Systems Integrators who are programming the PLC’s, HMI’s, and SCADA systems and their IT counterparts when dealing with new or updated systems at manufacturing facilities.  The Integrators generally do not have the knowledge or mindset needed to set up a well secured system.  Integrators usually are concerned only with being able to access the control devices (HMI’s, etc) remotely to alleviate additional trips onsite, which can be a costly endeavor over time, and to also provide quick support for their customers.

This approach has left many unprotected controls system devices wide open on the Internet available to anyone who would wish to misuse them.  These systems can include critical infrastructure, school systems, manufacturing facilities, car washes, etc.

The PDF version of this guide is available here

Icon

Allen-Bradley HMI - Unprotected Remote Access And Network Discovery using FactoryTalk View Studio Machine Edition_rev1.0

1 file(s) 1.02 MB
Download

 

  1. Navigate a web browser to the SHODAN search engine https://www.shodan.io/

shodan

  1. Type the following text into the search field; panelviewshodan search panelview
  2. Press the “Enter” key to display the search results. The results should resemble the following;

Shodan Search Results

 

 

 

 

 

 

 

 

Here is a close up of one of the results.shadon result zoom

The search has clearly identified an Allen-Bradley PanelView Plus 6 1000 that is directly connected to the Internet at the IP address on the left hand side.  We now have all the information needed to connect to the HMI and upload the application.

 

  1. Install the Rockwell Automation programming software, FactoryTalk View Studio ME (Machine Edition), with the default options checked. FactoryTalk View Studio is the development software used for programming Allen-Bradley PanelView Touch Screen Interfaces (HMI, Human Machine Interface).

FactoryTalk View Studio ME installation should look like the following;

FTView Install

 

 

 

FTView Install in progressNote: FactoryTalk View Studio software does require a valid activation to be present, however, the software will run in a fully functional grace period of 7 days starting from the first time the software is started.  If the software was installed in a virtual machine, it would now be a good time to make a copy of the VM before opening any of the newly installed Rockwell Software.  That way, the 7 day grace period hasn’t been activated yet and there would not be a need to sit through software installation again in the future if there was a saved “base” copy of the VM.  Then use the new copy as a “working” VM.

 

  1. Open the start menu and run “FactoryTalk Administration Console” located in the Rockwell Software folder.start menu administration console

Once FactoryTalk Administration Console opens it will look like the following picture;admin consol open

  1. On the pop-up dialog box click the drop down menu and select “Local”, click “OK”

admin console local

  1. The application will continue to load. Once it is fully loaded click on the “Communications” tab as shown below.

admin console communications tab select

 

 

 

 

 

 

  1. Right click on the driver located in the RSLinx Enterprise project tree labeled “Ethernet, Ethernet”. Click on “Add Device” from the context menu.

admin console comms add device

 

  1. The “Add Device Selection” dialog box will be displayed.

admin console add device selector

Expand the “EthernetIP Devices” folder and scroll down the list to select the specific model PanelView identified by the Shodan search and click “OK”.  i.e. PanelView Plus 1250,shodan pv1250admin console comms add device pv1250

  1. The “Device Properties” dialog box will then be displayed. Fill in the IP address for the same device from the Shodan search and click “OK”.  You may also give the device a name.

admin console add pv1250 ip

  1. Verify the new device has been added to the “Ethernet, Ethernet” driver under the RSLinx Enterprise project tree on the Communications tab.

 

Note: There is not a limit to the number of devices that can be added. Simply repeat the above process to add more results from the Shodan search if needed.  The more devices added, the more likely it is to find nodes that are still active on the Internet.

admin console panelview added to comms

  1. Close the FactoryTalk Administration Console application.

 

  1. Open the start menu and run “ME Transfer Utility” located in the Rockwell Software\FactoryTalk View\Tools

start menu ME transfer utility

 

 

  1. Once the application is open select the “Upload” tab at the top.

ME transfer util upload tab

  1. Expand the “Ethernet, Ethernet” driver in the lower portion of the application and highlight the HMI device that was added previously in the FactoryTalk Administration Console.

ME transfer util device selected for upload

  1. To the right of the Source File: field, click the ellipses “…” button. This will open a pop-up of the applications currently residing on the PanelView’s Internal Storage.  Select a file name and click “OK”.

Note:  The files on the PanelView HMI are called “Runtime” files and have the .mer file extension.  The runtime file is generated using the FactoryTalk View Studio ME development software.  When generating a runtime file for a PanelView, care must be taken to make sure the runtime version is the same as the firmware version running on the PanelView HMI.  i.e. Create a runtime in version 7 (*.mer file) to be transferred and run by a panelView with version 7 firmware.

ME transfer util select file to upload

 

 

 

 

 

 

 

 

 

 

  1. Once the Source File is selected, click the ellipses “…” button and choose a destination folder. Click the “Upload” button in the top right.

ME transfer util click OK to upload

What for the upload to complete.  This could take a few minutes depending on the network and the size of the application.

ME trasnfer util uploadingME transfer util upload complete

  1. Once the upload has finished, click “OK” and close the ME Transfer Utility application.
  2. Open the start menu and run “Application Manager” located in the Rockwell Software\FactoryTalk View\Tools

start menu application manager

  1. Once the application loads, select the radio button “Restore runtime application” and click “Next”

app manager restore runtime

 

Specify the runtime application to restore.  This will be the *.mer file uploaded from the PanelView in the previous step.  Leave the password field blank.  Click “Next”

app manager select ap to restore

Enter a new name for the application.  Click “Next”

app manager HMI_Ap

The restoration process will begin.app manager restoring

Once the restore is complete the progress bar pop-up will close.  Now close the Application Manager program.

 

  1. Open the start menu and run “FactoryTalk View Studio” located in the Rockwell Software\FactoryTalk View

start menu factorytalkviewstudio

 

 

  1. FactoryTalk View Studio will open and look like the following image;

ftview open

Note: The 7 day grace period message will be displayed at the bottom of the application if not properly licensed.

activation error

 

 

  1. The newly restored PanelView application will be displayed in the list of HMI projects available to open. Click on it and then click “Open”

FTView select app

  1. The project is now opened and available for information gathering and/or modifications.FTView HMI_App open
  2. To learn a little more about the system we can check the Runtime Communications by expanding “RSLinx Enterprise” in the project tree and double clicking on “Communication Setup”. Then on the top right section of the setup window click on the tab “Runtime (Target)”.  This will display what devices the PanelView HMI is set up to communicate with.  Depending on the setup of the system this could display the IP addresses and network layout of multiple PLCs being used.

FTView runtime comms

 

 

 

 

 

 

 

 

 

 

 

The main area of interest will be looking at the individual screens in the project.  You will find these under the “Graphics” folder in the project tree.  Then expand the “Displays” item.  This will show all the developed screens.  From here the exact process can be figured out and dissected and is not covered in this guide.

FTView display highlighted

Working the way down the project tree, there are things such as HMI Tags, Displays, Project Settings, Alarm Setup, and Macros all accessible for information gathering or modifications.

From this point the PanelView application can be modified in any.  A new runtime file (*.mer) can be created, and the file can be transferred back over the Internet to the Panelview.  Also, a completely new and different application can be transferred to the PanelView which could shutdown whatever process it was being used for.  The possibilities are nearly endless.

**********************************************************************************************************

 

As stated previously, this write-up was created with the intention of showing how easily accessible Industrial Controls Systems currently are in this era with the hopes that this can be an eye opening experience for everyone in the industry.  We all need to make sure we have properly trained Systems Integrators, Information Technology staff, and maintenance personnel working on our critical infrastructure controls systems.

 

Tagged with: