You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
Split PLC code into modules, using different function blocks (sub-routines). Test modules independently.
Track operating modes
Keep the PLC in RUN mode. If PLCs are not in RUN mode, there should be an alarm to the operators
Leave operational logic in the PLC wherever feasible
Leave as much operational logic e.g., totalizing or integrating, as possible directly in the PLC. The HMI does not get enough updates to do this well.
Use PLC flags as integrity checks
Put counters on PLC error flags to capture any math problems.
Use cryptographic and / or checksum integrity checks for PLC code
Use cryptographic hashes, or checksums if cryptographic hashes are unavailable, to check PLC code integrity and raise an alarm when they change
Validate timers and counters
If timers and counters values are written to the PLC program, they should be validate by the PLC for reasonableness and verify backward counts below zero
Validate and alert for paired inputs / outputs
If you have paired signals, ensure that both signals are not asserted together. Alarm the operator when input / output states occur that are physically not feasible. Consider making paired signals independent or adding delay timers when toggling outputs could be damaging to actuators.
Validate HMI input variables at the PLC level, not only at HMI
HMI access to PLC variables can (and should) be restricted to a valid operational value range at the HMI, but further cross-checks in the PLC should be added to prevent, or alert on, values outside of the acceptable ranges which are programmed into the HMI.
Validate indirections
Validate indirections by poisoning array ends to catch fence-post errors
Assign designated register blocks by function (read/write/validate)
Assign designated register blocks for specific functions in order to validate data, avoid buffer overflows and block unauthorized external writes to protect controller data.
Instrument for plausibility checks
Instrument the process in a way that allows for plausibility checks by cross-checking different measurements.
Validate inputs based on physical plausibility
Ensure operators can only input what’s practical or physically feasible in the process. Set a timer for an operation to the duration it should physically take. Consider alerting when there are deviations. Also alert when there is unexpected inactivity.
Disable unneeded / unused communication ports and protocols
PLC controllers and network interface modules generally support multiple communication protocols that are enabled by default. Disable ports and protocols that are not required for the application.
Restrict third-party data interfaces
Restrict the type of connections and available data for 3rd party interfaces. The connections and/or data interfaces should be well defined and restricted to only allow read/write capabilities for the required data transfer.
Define a safe process state in case of a PLC restart
Define safe states for the process in case of PLC restarts (e.g., energize contacts, deenergize, keep previous state).
Summarize PLC cycle times and trend them on the HMI
Summarize PLC cycle time every 2-3 seconds and report to HMI for visualization on a graph
Log PLC uptime and trend it on the HMI
Log PLC uptime to know when it’s been restarted. Trend and log uptime on the HMI for diagnostics
Log PLC hard stops and trend them on the HMI
Store PLC hard stop events from faults or shutdowns for retrieval by HMI alarm systems to consult before PLC restarts. Time sync for more accurate data.
Monitor PLC memory usage and trend it on the HMI
Measure and provide a baseline for memory usage for every controller deployed in the production environment and trend it on the HMI.
Trap false negatives and false positives for critical alerts
Identify critical alerts and program a trap for those alerts. Set the trap to monitor the trigger conditions and the alert state for any deviation.
Permission is hereby granted, free of charge, to any person obtaining a copy of “Top 20 Secure PLC Coding Practices” and associated documentation files, to deal in the “Top 20 Secure PLC Coding Practices” without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the “Top 20 Secure PLC Coding Practices”, and to permit persons to whom the “Top 20 Secure PLC Coding Practices” is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the “Top 20 Secure PLC Coding Practices”.
THE “Top 20 Secure PLC Coding Practices” IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE “Top 20 Secure PLC Coding Practices” OR THE USE OR OTHER DEALINGS IN THE “Top 20 Secure PLC Coding Practices”.
About
Documentation and guidance to practice secure coding for various PLC vendors