Top 20 Secure PLC Coding Practices

June 29, 2021
From splitting PLC code into modules and validating HMI input variables at the PLC to monitoring and trending PLC memory use, these coding practices help secure controllers and the operations connected to them.

Industrial cybersecurity has moved from being a topic of interest only to industrial and cybersecurity professionals to the forefront of mainstream media coverage as ransomware attacks have disrupted fuel and food supplies in the first months of 2021. There are many methods hackers use to infiltrate industrial control systems (ICS)—often through phishing methods used to extract sensitive passwords from employees. But that fact doesn’t relegate ICS security solely to the IT realm.

Listen to this podcast explaining how to assess the level of cybersecurity needed for your operation.

To help industrial companies protect the control systems used across industries, Admeritia—an operations technology-focused provider of cybersecurity software and services—has compiled a list of what it considers to be the top 20 secure PLC coding practices. 

Following is a brief rundown of these top 20 practices:

  • Split PLC codes into modules using different function blocks and test each independently.
  • Track operating modes by keeping the PLC in “run” mode; if a PLC is not in this mode, it should trigger an operator alarm.
  • Leave operational logic in the PLC where feasible rather than in other applications, such as the human machine interface (HMI).
  • Place counters on PLC error flags to capture any math problems in the code.
  • Use cryptographic hashes or checksums to check PLC code integrity and issue alarms when they change.
  • Validate timer and counter values in the PLC code for “reasonableness” and verify backward counts below zero.
  • Ensure that paired I/O signals are not asserted together. I/O states considered unfeasible should trigger alarms.
  • Validate HMI input variables at the PLC, not just at the HMI.
  • Poison array ends to catch fence-post errors to validate indirections.
  • Assign designated register blocks for specific functions to validate data, avoid buffer overflows, and block external writes.
  • Instrument your control processes to allow for plausibility checks by cross-checking different measurements.
  • Ensure that operators can only enter input that’s physically feasible. Set a timer for how long an operation should take with alerts sent for any unexpected activities.
  • Disable ports and protocols not required for an application.
  • All data interface connections should be well defined and restricted to only allow read/write capabilities for the required data transfer.
  • Define safe states for the process in case of PLC restarts.
  • Summarize PLC cycle times every two to three seconds and report to HMI for visualization.
  • Log and trend PLC uptime on the HMI for diagnostics.
  • Store PLC hard stop events for retrieval by the HMI before PLC restarts.
  • Monitor PLC memory use and trend it on the HMI.
  • Identify critical alerts and program a trap for them that monitors their trigger conditions and the alert state for any deviation.

Full details of these PLC coding security practices can be downloaded from Admeritia’s Secure PLC Programming Project site.

Learn about 4 critical aspects of ICS cybersecurity not to be overlooked.
About the Author

David Greenfield, editor in chief | Editor in Chief

David Greenfield joined Automation World in June 2011. Bringing a wealth of industry knowledge and media experience to his position, David’s contributions can be found in AW’s print and online editions and custom projects. Earlier in his career, David was Editorial Director of Design News at UBM Electronics, and prior to joining UBM, he was Editorial Director of Control Engineering at Reed Business Information, where he also worked on Manufacturing Business Technology as Publisher. 

Sponsored Recommendations

Why Go Beyond Traditional HMI/SCADA

Traditional HMI/SCADAs are being reinvented with today's growing dependence on mobile technology. Discover how AVEVA is implementing this software into your everyday devices to...

4 Reasons to move to a subscription model for your HMI/SCADA

Software-as-a-service (SaaS) gives you the technical and financial ability to respond to the changing market and provides efficient control across your entire enterprise—not just...

Is your HMI stuck in the stone age?

What happens when you adopt modern HMI solutions? Learn more about the future of operations control with these six modern HMI must-haves to help you turbocharge operator efficiency...