Guide to Programmable Logic Controller Security
Living in modern times lets us enjoy access to advanced technologies that make us happier and more productive. But along with these modern conveniences come new opportunities for would-be thieves and criminals to exploit what you’ve built and us it for their own purposes.
In the wide world of various manufacturing industries, one such avenue of attack comes in the form of programmable logic controllers, or PLCs. PLCs helped deliver some of the modern, wildly productive manufacturing techniques we now take for granted by allowing us a greater degree of control over our automated and robotic assembly lines as well as nearly any other process that requires high degrees of reliability and consistency and swift fault diagnosis when something goes wrong.
Having originally made their appearance in the automotive industry in the late ‘60s, PLCs have spent the last few decades making their way into a variety of other rugged industries and harsh environments.
Of course, industrial PLC security issues are nearly as common as PLCs themselves these days, thanks in part to the possibility of outside access, including wider access to exploits and greater-than-ever incentives for foul play in a highly competitive industrial and even political landscape. To put it more simply, networked technologies present challenges that any industrial operation, whether large or small, must account for and protect against.
In this article, we’re going to explore some of those vulnerabilities, including the reasons why a hacker or another outside malign influence might set their sights on your organization’s PLCs or other critical infrastructure.
As you’ll see by the end, protecting yourself and your business and taking industrial control systems security seriously doesn’t have to break the bank or distract you unnecessarily from doing what you love: building your business and delivering high-quality service to your customers and clients.
Why Is PLC Security So Important?
Any process or physical device that interfaces so completely with vital industrial assets is a tempting target. It doesn’t even take a particularly sophisticated exploit or attack to bring a warehouse, manufacturing plant or even a portion of a country’s infrastructure to its knees, as the world discovered back in 1982 when the CIA successfully employed digital warfare to cripple a gas pipeline in the Soviet Union.
It’s an older — and possibly extreme — example, but the world hasn’t grown much safer since. In fact, both lone operators and state-sponsored entities appear to be targeting public infrastructure on a regular basis, with “unprecedented” intrusions hitting both U.S.-based utility infrastructure and hospital systems throughout the U.K. in recent months and years.
But even if your business doesn’t operate on the same scale as an entire industrialized nation, you still need to take threats like this seriously. Your reputation is on the line — as is the continuing stability and success of your company.
In general, you can look to these broad categories to provide an overview of the types of threats your organization might face and the sort of harm they might visit on your operation:
- Improper/insufficient policies: Access, maintenance procedures, testing and downtime might make you vulnerable to attacks.
- Poorly designed hardware/software: Security needs to have been top-of-mind from square one when your manufacturer designed the PLC your business uses. In addition, any bugs or known vulnerabilities should be divulged and addressed in a timely manner.
- Threats from within: A lack of training, simple human error or a general lack of security-mindedness in your organization puts you at risk every day.
What Can a Hacker Do?
That brings us to the critical questions: Are industrial PLC security issues really that serious — and if so, what havoc might an unscrupulous outside party wreak if they discover vulnerabilities in your system?
Here’s a rundown of some of the types of damage you open yourself up to if you don’t take PLC security seriously:
- Disseminate inaccurate or harmful information: Once within the system, hackers can release inaccurate or incomplete information anywhere within the system.
They may do this for a number of reasons, including hiding the fact that they were there, disguising other changes they’ve made or even to encourage your system operators to take inappropriate actions, as the CIA did when they “tricked” elements in the Soviet Union into appropriating compromised software.
- Alter or remove alarm thresholds and safety functions: You rely on many safety checks and balances to ensure problems don’t arise — or, when they do arise, to limit the damage and notify the appropriate parties.
If a hacker manages to infiltrate your network, including your PLCs, they may be able to alter these parameters so you’re not made aware of problems until it’s too late, potentially with catastrophic consequences.
- Steal sensitive data, intellectual property and trade secrets: One of the more straightforward reasons a hacker might exploit your infrastructure is to make off with trade secrets or sensitive corporate data.
Companies of all types and sizes seem to find themselves in hot water on a regular basis where trade secrets are concerned, and it’s not outside the realm of possibility that they might employ the sort of “black hat” techniques we’re discussing here today.
Indeed, an example from late 2016 saw trade secrets stolen from a German steel company in a type of “professional,” cyberattack which at the time was described as being “virtually impossible” to guard against.
Once again, we see that with modern technologies come modern headaches. The logic within programmable controllers directly touches some of the modern world’s most sensitive data and processes. They are deeply networked with each other and with several facets of your operation — and in many cases, your PLCs might make use of a web-based interface, which makes them more vulnerable still.
Modern search engines are capable of “scraping” the net for these web interfaces in some cases, and after making a brute force attempt to crack your password, hackers have full access to your PLC interface website.
As you can imagine, this might pose any number of threats to your operation. Hackers could:
- Lock out your legitimate and credentialed users, effectively bringing your company to a halt.
- Install malware to gather sensitive or personally identifiable information from your users and your system.
- Make general changes that compromise the relationship between your Master Terminal and any Remote Terminals, slowing or even halting production or even causing potentially dangerous situations to emerge.
- Take advantage of known exploits. No operating system or piece of software can ever be totally free of defects — as a result, the black market does a roaring trade in exploits for PLCs and other infrastructure elements.
All of these reasons combined mean taking this security element seriously will only become more critical in the coming years. Like your desktop computer or your personal mobile devices, programmable logic controllers run on an operating system, and such systems must be regularly monitored for vulnerabilities.
You wouldn’t leave your personal data unprotected on a consumer-level device, so why would you leave any part of your company’s digital “heart and soul” vulnerable to outside influence? Choosing the right vendor and equipment is the first step — but having a security-focused culture in your company is the second, and just as important, consideration.
Stuxnet and the New “Wild West” of Cyberattacks
In one sense, simple ignorance is a big part of why the security of PLCs remains an open question. As we’ve discussed, programmable logic controllers have their own operating systems, even if manufacturers don’t go out of their way to point it out. They might not have names — like “Windows” or “macOS” — that the public can readily identify, but that’s no excuse. Knowing your technology inside and out is the first step toward being proactive about security.
Knowing your technology means taking sensible precautions. One such precaution is seeking out high-quality resources like the DHS vulnerability notes database, which can help tip you off about exploits and vulnerabilities that have been publically disclosed about these devices.
Of course, not every exploit is publically disclosed — and that means your technology might be unsafe in a way you can’t even be aware of. For a further look, let’s talk about Stuxnet.
The most recognizable “symbol” of this kind of subtle vector for infiltration is a name you might recognize: Stuxnet. Known somewhat ominously as a cyber superweapon, Stuxnet is thought to have played a role in derailing Iran’s nuclear development program and is known somewhat apocryphally to have been developed by Israel and the United States. It probably seemed like a good idea at the time, but now Stuxnet is out in the “wild” — and we’re only just coming to terms with what it’s capable of.
Stuxnet is a scary tool — as is anything that can bring a nation’s nuclear ambitions to heel — and it gets even scarier when you realize it was never supposed to get out. But here we are.
And yet, in some ways, Stuxnet and its worry-inducing headlines have also been a blessing: Since word of its existence and capabilities went public in 2010, more of the world is now aware of the inherent vulnerabilities in some of our technologies. Think of it like a canary in a coal mine. Having a name to associate with the global problem of cybersecurity gives us something to target and something for our conversations to coalesce around.
Of course, the now-public knowledge of Stuxnet also means hackers are just as aware as the rest of us. We now find ourselves in a cyberattack arms race. Stuxnet helped demonstrate that some of the convenient security exploits we talked about above aren’t always even necessary to grant a malicious actor access to your system — sometimes all they need access to is a computer attached to your PLCs.
If you’re concerned, you’re right to be — but you’re not powerless. If industrial control systems security is a concern for you, here’s what you need to know to improve your security and protect yourself from these types of threats.
How to Improve Industrial Control Systems Security
Interestingly, subtle and incremental technological breakthroughs have already made PLCs somewhat less vulnerable than they were in the past. But that means knowing what to look for and choosing modern, robust, reliable equipment for your needs.
As mentioned previously, the Natanz-based Iranian nuclear program was successfully derailed when Stuxnet effectively rewrote the behaviors contained within the PLCs’ operating system. The result was a systematic failure of around 1,000 nuclear centrifuges.
But this isn’t possible in the same way on more modern PLCs. Whereas older models could be written to several times, newer logic controllers are not rewritable and are therefore not susceptible to the same kind of malware or quite the same degree of risk. Put more simply, foreign code cannot be stored on these devices.
This also differentiates newer logic controllers and older ones on a physical level. Each PLC includes a socket into which the non-rewritable memory unit is stored. Changing their behavior, then, becomes literally a physical process done onsite rather than something that can be performed from a great distance away. Further optional enhancements include latched and lockable covers to prevent tampering onsite by known or unknown actors.
So non-rewritable media is one type of PLC security solution. What are some others?
There are several key components of industrial control security that any organization should take seriously. A preemptive, responsive security solution is one that
- Creates a security topology with several layers and secures your most important communication processes in the most reliable and secure layer.
- Implements unidirectional gateways, firewalls and network architecture with “demilitarized zones” to ensure that unauthorized presences cannot breach the network. Users should use modern security measures and bespoke security credentials, including two-factor authorization.
- Restricts access to industrial control components at the physical level, ensuring memory units cannot be removed and/or tampered with unless explicit authorization has been given.
- Prevents data — either “static” or in transit — from being modified by third parties.
- Provides detection and notification in the event of security incidents, unexpected behavior or other unforeseen circumstances.
- Establishes redundancy to ensure that critical processes, if interrupted, don’t shut down an entire organization.
- Makes the system easy to restore in the event that some event does take it offline. A coherent response plan is a critical hallmark of any security-minded operation.
Of course, there are formal standards the public and private sectors are expected to abide by where industrial control systems security is concerned.
Industry-Specific Security Standards for PLCs
It’s important to keep in mind that several industries and oversight organizations have preferred standards of their own for tightening security:
- The National Institute of Standards and Technology makes available the Security and Privacy Controls for Federal Information Systems. Appendix F of this document concerns itself almost exclusively with automated industrial control systems.
- The Association of Electrical Equipment and Medical Imaging Manufacturers (NEMA) has requirements of its own for industrial control systems, called NEMA ICS 1-2000.
- Jointly, the International Society of Automation (ISA) and the International Electrotechnical Commission have published standards for industrial automation called ISA-62442.
- As part of their efforts to demystify the multifaceted challenge of industrial controller security, the Industrial Control Systems Cyber Response Team — a division of the Department of Homeland Security — also has a fairly thorough compendium of resources and standards for industrial control, including general cybersecurity planning, network segmentation, DMZs and firewalls, authentication management, conducting tests and upgrades, training employees on proper handling procedures, the bundling of additional security measures like VPNs, the physical placement of networked infrastructure and how to choose the most secure and suitable topology for your operation.
And that may be the most important word about programmable logic security: Depending on your industry, a “standard” response may not be enough. Your field poses unique challenges that make it unlike any other industry. So take the time to familiarize yourself with common pain points in your industry and ensure your security response takes them into account.
Take Security Seriously Today — Not Tomorrow
The key takeaway here is that industrial control security is not something you want to leave to chance or take for granted. As we’ve discussed, the vulnerabilities of some of this technology aren’t always well-advertised, least of all by the manufacturer. As a result, you need to be attentive to security in a deliberate way — and that means having policies in place concerning access, downtime, upgrades, tests and maintenance for your critical infrastructure.
Another last distinction worth making is the fact that shielding your PLCs from outside harm cannot be your entire response to the threat of cyberattacks. To protect your organization fully, a holistic approach is required — and PLCs are only one part of the picture.
Hopefully, you’ve found this guide to programmable logic controller security issues and industrial PLC security issues enlightening. This is a broad and still-emerging area of concern for security experts and business owners, and all of us here at Global Electronic Services hope to do our part to ensure the public is aware of both the opportunities and the risks of modern industrial infrastructure.
When you need repair or another type of service on industrial motors, hydraulics, pneumatics and electronics, turn to GES to get it done right and with a snappy turnaround. We’re proud to offer an 18-month in-service warranty and will beat any competing quote by 10% — just get in touch with us to learn more.