Programmable logic controllers (PLCs) are often the last line of defense protecting industrial processes, yet they contain glaring programming gaps that leave them insecure by design.
Increased connectivity to the internet of industrial devices and processes have magnified their exposure to external attackers and added urgency to the need for secure programming.
In this episode of Claroty's Aperture Podcast, Martin Scheu and Dirk Rotermund of the Top 20 Secure PLC Coding Practices project join to discuss how engineers can integrate secure coding practices into PLC programming.
The group's list of 20 secure coding practices was released in June and is available as a free download. It's a 44-page document that not only lists theses practices, but also offers detailed guidance for each, and specifies where they map within certain frameworks, such as MITRE ATT&CK.
In this discussion, you'll learn more about how this project came together, the current state of PLC security by design, where current cybersecurity gaps exist, and how engineers can best make use of the guidance provided in the list of secure coding practices, as well as vendors, suppliers, and system integrators.
"Process control systems were always connected, but now they are connected to the business side of a factory. These connections went very fast. The OT lifecycle is 15 years or maybe more, and everything is thinking in these timeframes," Scheu said. "The IT side, in terms of ransomware, just came too fast and now we are trying to catch up."
One of the main challenges impeding progress around improved PLC cybersecurity is the lack of awareness and institutional knowledge around the practice.
"Some of our clients have no idea. They don't say that they want it. You have to sell it to them. It's unbelievable," Rottermund said. "The asset owners don't ask for secure coding or security. … Industries like steel and other production industries don't really want it. It costs a lot and why should we do this? You have to sell it. And that's a problem."
The project hopes its efforts will crack open the black box that are PLCs and introduce secure coding practices such as input validation, hashing to insure the integrity of PLC builds, and the disabling of unnecessary communication ports and unused protocols—all of which reduce the attack surface on a PLC.