Supply chain security has been a growing topic over the last two years. A little-discussed subtopic is trash security — what happens to your equipment when you’re done with it?
I’ve been buying controllers on eBay with some regularity — whenever one pops up and is ridiculously cheap, I buy it. So far I’ve had a few fairly amazing buys that stress the importance of proper equipment disposal. I also have yet to buy a dead controller. As much as I make fun of slow processors and lack of memory, industrial controllers are built to last.
The first two relays I purchased were the same make and model — ABB REL512 Line Protection units. These relays are often used on very high-voltage lines. I was told that ABB electric equipment is found less frequently in the United States, and are more often seen in Europe thanks to their support of a lot of IEC protocols.
I was really interested in the first one because of this supposed US rarity, and the fact that it was being sold from an industrial surplusser located in the US. “Who is using this relay in the US?” I wondered. Given how frequently they pop up for sale, I’m beginning to doubt the person that gave me the beta on ABB and the USA…
The first device arrived and wasn’t configured — it was still in its original box, though, in a vacuum-sealed plastic bag. I’ll just say that the original shipping label had a nuclear power plant as the recipient address. I ended up ‘bricking’ this device when I tapped its settings software and played around with the protocol used to configure it (it only had serial ports, and it seems pretty unlikely that a bad guy would be able to repeat what I tried).
Since I broke the first device, I figured that I would buy a second some day so that I could attach a JTAG debugger to it and find out exactly what I broke on the first one (and hopefully fix it).
A second device of the exact same kind popped up some months later, sold by a different surplusser in a different region of the US. It was quite inexpensively priced, at a whopping $100 (retail I think these relays cost $8,000-$10,000). The auction photo of the device showed all of its front-panel LEDs lit up, but I bit the bullet and hoped that I would get something that worked.
What arrived didn’t boot. It just beeped when I plugged it in. I popped open the front plate and found the ribbon cable between the front panel and main board was detached. I reconnected the cable, plugged the device into the wall again, and voilà…it booted.
…Only, it was configured by an electric utility. It still had settings, event reports, and a password. The settings were interesting, and included the substation name, street name, city, and even the panel in which the relay was originally installed.
A third device was a totally unrelated PLC which still had its configuration available. According to the ‘Station Comments’ text, it was owned by an automotive manufacturer. It was still configured with an IP address that was owned by the manufacturer according to IANA. I have little doubt as to its ownership.
Equipment disposal is a fairly strange area wherever an embedded device is concerned. Embedded products often have flash memory and strange ways of zero’ing out settings that may not be as thorough as you’d think. One network switch that I tinkered with stored the administrator password in plaintext, and if the password was blanked, the first byte of the storage location in memory was literally just overwritten with a single 0. So if the original password was ‘password’, that location would have 0×00, followed by ‘assword’ when a reset was performed.
A good rule of thumb is to negotiate disposal with your vendor during the procurement process. It’s both more environmentally friendly, and adds some security — the vendor should know how to really wipe the device before refurbishing it for resale or disposing of it the old-fashioned way.
Image by waynewilkinson

0 comments:
Post a Comment