PLC security: keep it in running mode.
Protection mechanisms of PLCs
Programmable Logic Controllers (PLC) and Safety Instrumented Systems (SIS) Controllers have historically included an external switch, usually in the form of a physical key, to perform maintenance and troubleshooting. This key switch has become commonplace for automation engineers and technicians who maintain and support these systems and who understand the importance of the little switch in overall device operation.
Knowing the current state of the key switch and being able to detect when the position is changed is the number two recommendation from Top 20 Secure PLC Coding Practices. With the right tools, you can automatically detect the key state changes and keep track of this setting. On top of that, these PLC coding practices add an additional level of internal device detections, specifically for engineers and technicians.
To take one example, Rockwell PLCs of the Logix line have a key with 3 positions and 5 modes of operation. The key switch positions can be “Run,” “Remote,” or “Program.” Within the “Remote” position, an individual using Rockwell Studio on an engineering workstation can change the mode to “Remote Run”, “Remote Program”, or “Remote Test”, totalling 5 modes.
Rockwell defines these settings as follows:
Run mode : The controller is actively controlling the process/machine. Projects cannot be edited in the Logix Designer application when in Run mode.
Remote Run mode : This mode is identical to Run mode, except you can edit the project online and change the controller mode through the Logix Designer application.
Remote Program mode : This mode functions like Program mode, except you can change the controller mode through the Logix Designer application.
Remote Test mode : This controller mode executes code, but I/O is not controlled. You can edit the project online and change the controller mode through the Logix Designer application. Output modules are commanded to their Program mode state (on, off, or hold).
Program mode : This controller mode does not execute code or control I/O, but editing operations are available. Output modules are commanded to their last state (On, Off, or Hold). In this position, controller modes cannot be changed through the Logix Designer application.
This PLC key switch and ISA/IEC 62443
ISA/IEC 62443 is the sole de-facto internationally recognized standard for cybersecurity in industrial automation and control systems (IACS), created through consensus. It serves as a thorough guide for organizations to manage their cybersecurity risk, but there is no magical solution. Similar to safety, cybersecurity necessitates constant monitoring, particularly with seemingly insignificant matters. The ISA/IEC 62443 provides a strategy, but its effectiveness rests with the plant-management team.
In the ISA/IEC 62443, there are 7 Foundational Requirements. One of these is ‘Use Control‘.
A simple example to illustrate this Foundational Requirement ‘Use Control’, is the key switch a lot of PLCs have. As seen above, this physical key may operate in varying modes, depending on the manufacturer. In general, in Run mode, the PLC or controller cannot be altered locally or over the network. In Program mode, modifications to the device can be made, whereas Remote mode generally enables programmers to remotely modify the device’s status.
As mentioned before, the ISA Global Cybersecurity Alliance, which sponsors the PLC Security Top 20 List, recommends that operators “keep the PLC in Run mode. If PLCs are not in Run mode, there should be an alarm to the operators.”
The key switch, being a physical thing, is the most effective means to prevent unauthorized modification of critical PLC or controller code. Despite this, the key is routinely left in the Program or Remote position because it is convenient for the maintenance team. The rationale for this approach is that it eliminates productivity loss that results from walking up to the device with the key, changing position, walking back to the workstation, making changes, and then restoring the key position and removing the key. While this is true, it overlooks the potential loss of productivity involved in a cybersecurity incident caused by unauthorized modification of the PLC or controller.
As always, security and convenience are inversely proportional: if convenience increases, security decreases. Leaving the switch to remote is convenient, yes, but…
Although it decreases convenience, it is a security best practice to keep your Programmable Logic Controllers (PLC) and Safety Instrumentation Systems (SIS) in Running mode to avoid the possibility for cybercriminals to change the state to STOP and create unplanned downtime.