The Top 20 Secure PLC Coding Practices List made its debut a year ago in an attempt to demonstrate how engineers who build software for industrial control systems may use features within programmable logic controllers to improve the security of these crucial Level 1 devices.
The list was quickly embraced as an important security resource for engineers, and in the year since it was first published, its core group of maintainers has grown to 75, and more than 1,000 people registered as contributors to the project. It’s also been included in important training resources such the NATO guide for protecting automation and control systems; MITRE is also considering integrating the list into its CWE database.
Sarah Fluchs, CTO of Admeritia and a list maintainer, joins this episode of the Aperture podcast to discuss the list’s growth and evolution in its first year, and how it has helped the overall security of PLCs.
“You should regard (PLCs) as your plant’s or your processes’ bodyguard,” Fluchs said. “It’s your last line of defense in front of your process.”
The list a 44-page document that not only lists secure coding recommendations, but also offers detailed guidance for each, and specifies where each maps within certain frameworks, such as MITRE ATT&CK.
PLCs are deterministic devices and have one job: control a physical process. Security is not a PLC’s charter, yet its position as the last barrier means it should not be so vulnerable that it adds to the attack surface available to a determined hacker, Fluchs said.
“The PLC is not intended to improve security, it just shouldn’t add to insecurity,” Fluchs said.
Admittedly, not all 20 practices on the list are related to coding. Some recommendations, for instance, are related to monitoring and validating inputs for plausibility checks. For example, such checks would understand that a valve or a gate should open or close with an allotted period of time, and any deviations should trigger an alert.
“The PLC is really good at understanding what is happening in the process because that’s what it’s intended to do and what its logic is about,” Fluchs said. “There are some things that the PLC is predestined to monitor and it’s so much easier to monitor the PLC than use an expensive security tool.”
Also in this episode, Fluchs discusses what she believes it means to securely program a PLC, how to speak to engineers about security by design, and how to introduce security into engineering practices.