In the world of operational technology, programmable logic controllers (PLCs) control physical elements such as a municipal water supply system, the room temperature in offices or a chocolate bar packaging machine. Twenty years ago, manufacturers promoted their PLCs as compliant with the IEC 61131 standard. Today, the standard is well established and supported by all major PLC suppliers. To program a PLC, five programming languages are defined:
| IEC 61131-3 language | Description |
|---|---|
| Ladder Diagram (LD) | Looks like a electrical diagram |
| Function Block Diagram (FBD) | Contains elements from boolean algebra / digital technology |
| Structured Text (ST) | Similar to Pascal or C |
| Instruction List (IL) | Has its roots in the assembler language |
| Sequential function chart | Graphical elements for programming e.g. batch programming |
An electrician will likely choose Ladder Diagram as programming language. Someone who is used to programming in a high-level language will most probably use Structured Text. Often it is a mixture: functions or libraries are written in ST, while the “glue logic” is written in Function Block Diagram.
Programming styles vary as OT covers many different application areas: from a small machine controller to huge industrial process control systems and also different business areas, such as electrical power distribution, building automation or food industry.
Speaking of security, none of the five languages or manufacturers’ supporting libraries currently have security built in. To be fair, it was not a requirement.
In order to build more robust and secure PLC programs, it is up to the programmer to include dedicated functions or programming styles.
On the other end, this depends mostly on how a team or company start programming, as PLC programs are often copied from one project to the next, maybe adapted to new devices or enhanced with additional functionalities. Very few projects start programming from scratch.
With this in mind, the “Top 20 Secure PLC Coding Practices” community project aims to provide programmers with small practices to improve the security of their PLC programming posture. It is created by PLC programmers for PLC programmers.
Besides the programming practices, the Top 20 list also cross-references to the OT / ICS security standard IEC 62443 and the MITRE ATT&CK for ICS attack collection.
An example:
A vulnerability (Advisory number: 2021-09, https://www.codesys.com/security/security-reports.html) affecting the CODSYS V3 web server included in the PLC runtime. From the advisory: “The CODESYS web server is used by the CODESYS WebVisu to display CODESYS visualisation screens in a web browser. As the web server is part of the CODESYS runtime system, this may cause the entire runtime system to behave unpredictably.”
If the PLC runtime is only used as a PLC, the web server is often not needed. It is therefore good practice to turn off the service or disable access to it.
This practice is described in practice number 13: (https://plc-security.com/index.html#download)
Besides the Security Objective and Target Group, each practice lists:
- Instructions on what to do
- Example
- Why?
- References to IEC 62443 and MITRE ATT&CK for ICS
SWITCH-CERT is happy to contribute to the German translation and provide additional comments, coding or implementation examples adapted to the locally used PLC brands and programming styles. Feel free to contribute or comment: https://gitlab.switch.ch/martin.scheu/sps-top20
Enjoy!
SWITCH Security-Blog 