Top 20 Secure PLC Coding Practices with Vivek Ponnada
Wed, Feb 02
|Virtual
Traditionally there has not been a focus on using the characteristic features in the PLCs and DCS for security, or how to code/program PLCs with security in mind. This project – inspired by existing Secure Coding Practices for IT – fills that gap.
DETAILS
Feb 02, 2022, 1:00 PM – 2:30 PM EST
Virtual
ABOUT
Industrial Control Systems (ICS also referred to as OT or Operational Technology, consisting of SCADA, PLC, DCS etc.) have historically been insecure by design. Several years into customizing and applying best practices from IT gave rise to secure protocols, use of encryption, network segmentation & isolation etc. However, to date, there has not been a focus on using the characteristic features in the PLCs and DCS for security, or how to code/program PLCs with security in mind. This project – inspired by existing Secure Coding Practices for IT – fills that gap. The aim of this project is to provide guidelines to engineers that are creating software (ladder logic, functional charts etc.) to help improve the security posture of Industrial Control Systems, by leveraging the natively available functionality in the PLC/DCS/SCADA. Little or no additional software tools or hardware is needed to implement these practices. They can all be fit into the normal PLC programming and operating workflow. More than security expertise, good knowledge of the PLCs to be protected, their logic, and the underlying process, is needed for implementing these practices.
Using these practices always has security benefits – mostly either reducing the attack surface or enabling faster troubleshooting if a security incident were to happen. But many practices have more benefits than “only” security. Some also make PLC code more reliable, easier to debug and maintain, easier to communicate, and potentially also leaner. Also, the secure PLC coding practices not only help users in the event of a malicious attack but also make PLC code more robust to withstand accidental misconfiguration or human error.
Vivek Ponnada, Director of ICS Security at ICI Electrical Engineering: https://www.linkedin.com/in/1ot/