The ISA Global Cybersecurity Alliance (ISAGCA), along with admeritia GmbH, announced that it is a contributing organization for the release of the “Top 20 Secure PLC Coding Practices.” This public-sourced document is the result of a grass-roots initiative to provide guidelines to control engineers for improving the security posture of industrial control systems (ICSs). ISAGCA members and others from around the world contributed to the document, which encompasses advice covering the four primary programmable logic controller (PLC) programming languages: Ladder Diagrams (LD), Function Block Diagrams (FBD), Structured Text (ST), and Instruction List (IL).
The “Top 20 PLC Coding Practices” document began with Jake Brodsky’s S4x20 session on tips and tricks he had learned in his long career with a water utility to improve the resiliency, maintenance, and security of programmable logic controllers and the underlying physical processes. PLCs, which were insecure when first designed, have been better secured over the years through the development of secure protocols, encrypted communications, network segmentation, and more. However, there has not been a focus on using the characteristic features in PLCs, supervisory control and data acquisition systems, or distributed control systems (DCS) for security, or much instruction on how to program PLCs with security in mind, he said.
Dale Peterson—ICS security consultant, speaker, podcaster, and founder of S4 Events—said Brodsky called out the fact that people programming and configuring PLCs are not being taught security practices. “It’s gratifying that the community, including organizations like ISAGCA, came together to fill this gap by creating and making freely available the ‘Top 20 PLC Secure Coding Practices,’ ” he said.
Little to no additional software tools or hardware are needed to implement these practices. Download the document and find links to informative videos here. This article was originally published in InTech's July/August issue.
