Vivek Ponnada

Secure Coding of Industrial Control Systems

This presentation is the outcome of a community driven project called “Top 20 Secure Coding Practices”, with document version 1.0 to be released on plc-security.com on June 15th, 2021, for downloading free of charge, and will have no restrictions on distribution and use.

Background: Industrial Control Systems (ICS also referred to as OT or Operational Technology, consisting of SCADA, PLC, DCS etc.) have historically been insecure by design. Several years into customizing and applying best practices from IT gave rise to secure protocols, use of encryption, network segmentation & isolation etc. However, to date, there has not been a focus on using the characteristic features in the PLCs and DCS for security, or how to code/program PLCs with security in mind. This project – inspired by existing Secure Coding Practices for IT – fills that gap. The aim of this project is to provide guidelines to engineers that are creating software (ladder logic, functional charts etc.) to help improve the security posture of Industrial Control Systems, by leveraging the natively available functionality in the PLC/DCS/SCADA. Little or no additional software tools or hardware is needed to implement these practices. They can all be fit into the normal PLC programming and operating workflow. More than security expertise, good knowledge of the PLCs to be protected, their logic, and the underlying process, is needed for implementing these practices.

Using these practices always has security benefits – mostly either reducing the attack surface or enabling faster troubleshooting if a security incident were to happen. But many practices have more benefits than “only” security. Some also make PLC code more reliable, easier to debug and maintain, easier to communicate, and potentially also leaner. Also, the secure PLC coding practices not only help users in the event of a malicious attacker but also make PLC code more robust to withstand accidental misconfiguration or human error.