Traditionally, programmable logic controllers (PLCs) were considered unsafe. But a new security plan outlines 20 best practices for coding industrial computing equipment, and aims to reimagine PLC as the last line of defense in industrial processes.
A group of cybersecurity experts and automation engineers have created an open source guide with 20 recommendations for configuring PLCs to increase resiliency in the event of a security incident or configuration error in an industrial network. The so-called PLC Security Top 20 list hosted by the ISA (International Association of Automation) Global Cyber Security Alliance will be officially released tomorrow, June 15th, for automation engineers to use when programming PLCs to perform physical processes, such as controlling fluid temperature And the opening and closing of valves or gates in factories or facilities.
It is hoped that PLC suppliers will eventually incorporate their products or provide templates to help customers adopt best practices when programming their devices.
Sarah Fluchs, CTO of German OT security company Admeritia and one of the main authors of the new PLC Security 20 list, said that in fact, two basic PLC features can be used to securely code equipment: their ability to control physical processes, such as Open or close a door, they are “deterministic” in design.
Fluchs explained: “PLC can be the last line of defense, the last line of defense before you are physically impacted.” “You can bring basic characteristics…their advantages in understanding the process and understanding how the process works,” such as how long it takes to open the door is normal and how long it is not normal, she said.
She said that PLC does not really prevent cyber attacks, but can minimize the impact of cyber attacks on the physical processes of the factory. Its process monitoring function can be used to improve resiliency and security to flag potentially malicious or abnormal behavior: “The device contains a lot of knowledge about what can and cannot happen. This knowledge is available to us.”
The difference between PLC programming and software programming is that it is not written in a software programming language, it is more about cycles and small tasks. “Everything in a PLC is related to cycles; you write small tasks that are completed in a short period of time…Compare the input data with stored trend data, and then quickly decide what to do,” explains vulnerability researcher Reid Wightman. Dragos, an OT security company. “Regular Software [programming] It is transactional: I want to make a request, and you give me a response. “
The methodology of the PLC Security Top 20 list is similar to application security coding best practices, such as Microsoft’s Secure Development Lifecycle (SDL) or OWASP’s secure coding practices, but is specific to PLC’s existing functions. It uses the real-time operation of equipment and its narrow and specific tasks as safety and resilience as a kind of superpower. The co-author of the list wrote in the document: “We are trying to turn the PLC, usually regarded as the Achilles heel of the automated factory, into a distributed and ruthless bodyguard of the factory, with a bodyguard in front of each (rear) door. ,” Live tomorrow.
The security coding practices in the new Top 20 list are grouped by security goals, including integrity (PLC logic, timers and counters, and I/O values); strengthening the attack surface; resilience; and monitoring specific PLCs that may indicate security issues value.
The best practices included in the list are obvious, such as splitting the PLC code into modules that you can test more easily, and keeping the PLC in RUN mode and ensuring that an alarm is issued when changes occur, indicating that the PLC is not processing input/output data , And use PLC error flag for integrity check. It also requires the use of encrypted hashes or checksums to test for any problems with the integrity of the PLC code, disables unnecessary ports and protocols, records PLC uptime and hard stop on the HMI, monitors PLC memory usage, and displays on the HMI Display it and capture critical alarms.
The list is designed to continue to evolve and grow. The original Top 20 is regarded as a version 1.0 document and is open to comments and continuous input. “This is definitely something that needs to mature,” Fluchs said.
Properly programmed PLC
Until recently, PLCs were mostly not connected to anything other than their industrial control systems or other PLCs. Of course, digitization has changed all of this because the once sacred boundary between IT and OT networks has become more blurred.
So far, most PLC safety research has focused on how to invade PLCs or manipulate them with malicious software to change industrial processes or destroy the ladder logic of equipment (basically the programming language used to encode PLCs). Researchers have built rootkits and worms for PLCs, and recently discovered vulnerabilities in next-generation security features, such as Siemens’ memory protection in some of its SIMATIC PLCs.
But fortunately, most real-world attacks that affect industrial organizations have not touched PLCs: they have always been opportunistic IT-type threats, and recent cybercrime-driven ransomware has disrupted their IT networks, and they’re like Colonial. Cases such as Pipeline caused the company to shut down its OT network as a preventive measure, and temporarily caused a gas shortage panic in parts of the United States.
However, the recent destruction of a water plant in Oldsma, Florida, shows that the potential danger of a cyber attack may lead to physical consequences: in this case, drinking water is poisoned. The intruder seems to have somehow obtained system credentials to remotely control the settings via the TeamViewer application and increase the content of sodium hydroxide or lye to dangerous levels. Although careful operators noticed this change, and the factory has other digital guardrails to prevent contamination of the water system, dangerous errors may occur in other situations.
“A properly programmed PLC,” said Dale Peterson, CEO of Digital Bond, would prevent this rogue setup. “It will generate an alert, hey, this is trying to set something outside [proper] range. “
Peterson said that the top 20 list is actually more to prevent misconfigurations from causing physical incidents, because operator and technician errors are the main cause of network propagation interruptions in industrial systems.
“If you have a dedicated attacker attacking you, this will not save you,” Peterson pointed out. “But this [list] Many errors that lead to interruptions and accidents will be prevented. … Its biggest advantage is to prevent the process from entering a bad state. “
For example, the recommendation to monitor PLC memory can flag any abnormal activity because PLCs tend to use memory at a consistent level over time. “If you suddenly see a surge in memory usage and [get] The worrying thing is that it is very useful,” he pointed out.
This function is currently available for some PLCs. The list of the top 20 PLCs refers to Rockwell Allen-Bradley’s RSLogix 5000 task monitoring tool, which includes the ability to set its PLC’s memory baseline usage and track any trends.
The top 20 list includes:
- Modular PLC code
- Monitoring operation mode
- Keep the operation logic in the PLC as much as possible
- Use PLC mark as integrity check
- Use encryption and/or checksum integrity checks on PLC code
- Verify timers and counters
- Verify and remind paired input/output
- Verify HMI input variables at the PLC level, not just at the HMI
- Verification indirect
- Assign the designated register block by function (read/write/verify)
- Credibility check tool
- Verify input based on physical plausibility
- Disable unnecessary/unused communication ports and protocols
- Restrict third-party data interfaces
- Define the safe process state when the PLC restarts
- Summarize the PLC cycle time and perform trend analysis on the HMI
- Record PLC uptime and trend analysis on HMI
- Log PLC hard stop and display trend on HMI
- Monitor PLC memory usage and trend analysis on HMI
- Capture false negatives and false negatives for critical alarms
Kelly Jackson Higgins is the executive editor of Dark Reading.She is an award-winning senior technical and business journalist. She has more than 20 years of experience in reporting and editing various publications, including network computing, security companies…View full resume