Top 20 PLC Secure Coding Practices

A S4 Project

It seemed so obvious when Jake Brodsky sent in his presentation proposal to S4x20. If you want to have a (more) secure and resilient PLC, you should follow good PLC secure coding practices.

There are many lists, and tools developed around these lists, of secure coding practices for applications and development on general purpose computers. It was part of Microsoft's first Security Development Lifecycle (SDL) nearly two decades ago, and entire development departments are typically put through an organization's secure coding practices training. And yet Jake pointed out that most engineers don't consider security at all when programming PLC's. We need to change that.

So Sarah Fluchs and Jake Brodsky led an effort to start a Top 20 Secure Coding Practices list. The ISA Global Cybersecurity Alliance has graciously agreed to host the list and documentation when it is close to Version 1.0. The effort will be formally unveiled in a webinar on July 29th that I'd encourage you attend if you are responsible for the programming or security of PLC's, or other Level 1 devices.

The site where the list is being discussed and developed will open up to all on July 29th, and I thought I'd whet your appetite by providing some advance information and examples.

• Currently 17 of the 20 candidate PLC Secure Coding Practices have been identified.
• Each Practice has Guidance and Examples (impressive and detailed work on this by Sarah and Jake)
• Each Practice has a "Why?" Summary chart at the end of the documentation page.

So let's take a look at two Practices:

Practice 6: Validate and alert for paired inputs

If you have paired inputs, ensure that both inputs or both outputs are not asserted together. Alarm the operator when input states occur that are physically not feasible.

Guidance

Paired inputs are those that physically cannot happen at the same time; they are mutually exclusive. Because paired inputs cannot happen at the same time unless there is a failure or malicious activity, PLC programmers often to not take the possibility for these cases into account.

Validation is easiest to directly do in the PLC, because unlike any network device capable of Deep Packet Inspection (DPI), the PLC “knows” what the process state or context is. It helps to not overlook paired inputs if their addresses are right next to each other (e.g. input 1 and input 2). Examples for paired inputs:

• START and STOP
• FORWARD and REVERSE
• OPEN and CLOSE

Some of the Practices have a lot more documentation and examples. Practice 7, Validate indirections by poisoning array ends to catch fence-post errors, has five examples including Example 2 below.

Example 2. Insert poisoned ends

Poisoning ends is optional. You would be able to detect manipulated indirections without the poisoning, but poisoning helps to catch fence-post errors because you get back a value that does not make sense.

The point is that at index 0 of the array, there should be a value that is invalid – such as -1 or 65535. This is “the poisoned end”. Likewise, at the last elements of the array you do the same:

So for our array above, the poisoned version could look like this:

[-1 -1 21 31 41 51 61 -1]

Project Status and Participation

Two important points about this Top 20 PLC Secure Coding Practice project:

1. It is a work in progress. As more contributors get involved it will surely be modified and improved. We expect changes in items in the list, the format of the supporting documentation, and documentation itself.
2. This is a living list. We plan on keeping the discussion and development board up to facilitate ongoing development of the Top 20 PLC Secure Coding Practices.

Finally one personal hope I have for this project is one or more organizations will take the resulting list and build training around it. This could be a PLC vendor course, a security training course, or even integrated into engineering and automation curriculum.

S4 Projects are high impact projects that the S4 tribe helps make happen as part of our Create The Future mission.