It began with Jake Brodsky’s S4x20 session on tips and tricks he had learned in his long career with a water utility to improve the resiliency, maintenance and security of a PLC and the underlying physical process. Today, it results in the release of Version 1.0 of the Top 20 Secure PLC Coding Practices with one of the least restrictive licenses for use, distribution and modification you will ever see. We want this Top 20 list to be used.
It seemed so obvious. We’ve seen significant reduction in exploitable bugs with the adoption of application secure coding practices. And even further improvements when compilers and QA tools can identify and prevent these practices from being violated. Why wouldn’t the same be true for the programming and configuration of PLC’s?
These good ideas presented at a conference can all too often fade away with little action. We didn’t want to let this happen and made creating a Top 20 List an S4 Project. In this case, we were primarily cheerleaders, organizers and recruiters of engineers who could create a quality list. Sarah Fluchs and Vivek Ponnada led the effort and did a lot of work, and please take a look at the ~70 people who helped make this Top 20 list happen on the last page of the document.
These practices are for the engineers and technicians that program and maintain the PLC’s, not the typical OT Security Pro. Some of the practices will be familiar to people with coding experience:
- 8. Validate HMI Input Variables so they are within valid operational ranges (which would have certainly prevented the Oldsmar attack command regardless of what was sent from HMI).
- 13. Disable Unneeded / Unused Communication Ports And Protocols is classic attack surface reduction.
Most of the practices are PLC / process specific.
- Five of the practices are related to logging, trending, and monitoring / alerting on items such as cycle times and memory usage, which are typically consistent in a PLC. This could detect attacks, and it will detect the broad NIST definition of a cyber incident. (ht: Joe Weiss)
- There are validation practices that go beyond input variables and are more typical in the ICS world. Paired input is a good example. Something can’t be both Open and Closed simultaneously, or running Forward and Reverse at the same time. Indirections are another.
- There are a number of practices that involve PLC programming such as configuring registers, PLC flag use, integrity checks and more.
Each practice has documentation pages that describe the practice in more detail, provide examples, lists benefits, and includes IEC 62443 and MITRE ATT&CK for ICS references.
Using The Top 20 Secure PLC Coding Practices
Now that the Top 20 list is released, we need to get engineers trained up and using them. This is, quite frankly, a different group than the OT security people who are likely reading this, and this represents a challenge. It’s encouraging and helpful that the ISAGCA is working to promote these practices. ISA serves the engineering community. We need to find other avenues to get the message out and welcome any suggestions. Some possibilities:
- Get the Top 20 List integrated into existing training programs, professional and academic, or create a new Top 20 Secure PLC Coding Practices course. (the license allows any use of this list as long as a credit paragraph is included).
- Include the Top 20 List as requirements in your RFP’s and write related acceptance tests.
- Be an advocate and help educate engineers in your area. A scripted slide deck will be available shortly.
- If you are a vendor, include these in your secure deployment guides and in your default settings where possible.
- Provide additional examples and documentation for the practices to the Top 20 team.
- And of course implement these in your projects and train up your team.
This is Version 1.0. While the team did a great job getting to here, I’m sure it will improve in subsequent releases. After the team exhales they will start to go over the comments and suggested improvements. The drafting process also generated some good practices for the Level 1 environment, HMI and other ICS elements. These were out of scope for this list and retained for possible future publication.
A funny story to end this … a reporter asked me, tongue in cheek, if following these practices would stop ransomware. Of course, the answer is no. They will reduce the number of PLC related all-cause cyber incidents.