PLC Security

BPyles

Member
B
Join Date
Apr 2014
Location
Canton Ohio
Posts
15
I want to explore some options for security on the PLCs. I want to start with our CompactLogix (many different firmware revisions all < rev 21). Currently we don't have any security. I suggested to my boss when he asked me what I thought and I suggested that we can password protect each processor with a single password. He does not like that Idea as eventually everyone will know the password through word of mouth and defeat the purpose of it.

I am curious what other people do and if there are any suggestions on best practices regarding security. Eventually I want to take this a step further and explore options for PV+ and also our Powerflex drives.
 
"Security" has a very broad meaning...
What exactly are you trying to accomplish? (e.g.-CPU access restrictions, application copy protection, user credentials management, etc.)
 
Adding password protection is a good start. Another key is to ensure that if your network is as isolated as possible, especially if they are connected to Ethernet. Firewalls, and using access restrictions on the network devices can help prevent unauthorized devices from getting on the network.

It is also important to mention that you shouldn't forget physical security. If you can prevent unauthorized people from getting to the system you want to protect, that goes a long way from preventing them from accessing it.

However, do keep in mind that there is a huge tradeoff between security and usability. Generally, the more secure you make a system, the harder you make it to work on that system. Both are important, and you need to figure out where the medium is for you.
 
BPyles,

I'm not sure what level your installed architecture is at, and whether it is even networked, or not, but I have mentioned this before here on the forum and perhaps it is pertinent to mention it here again...

Rockwell advocate you use a “defense-in-depth” security approach. This involves using both the physical and electronic security measures mentioned already, here, and in the linked thread by Ron, as well as other methods.

The basic philosophy is that no one measure alone can fully secure an Industrial Control System (ICS). A layered approach is best practice.

In achieving a “defense-in-depth” approach, an operational process is required to establish and maintain the security capability. This process includes:

1) Identify priorities (e.g. Availability, Integrity, Confidentiality)
2) Establish requirements (e.g. remote access must not impact control traffic, etc.)
3) Identify assets
4) Identify potential internal and external threats and risks
5) Understand capabilities required
6) Develop architecture
7) Develop and implement policies

Designing and implementing a comprehensive manufacturing security model should serve as a natural extension to the manufacturing process. In other words, users should not implement security as a "bolt-on" component to the manufacturing process.

The “defense-in-depth” layers for securing manufacturing assets should include:

• Physical Security: This limits physical access of areas, control panels, devices, cabling, the control rooms and other locations to authorized personnel as well as escorts, and tracks visitors.

• Network Security: This includes the network infrastructure, such as firewalls with intrusion detection and intrusion prevention systems (IDS/IPS), and integrated protection of networking equipment such as switches and routers.

• Computer Hardening: This includes patch management and antivirus software as well as removal of unused applications, protocols and services.

• Application Security: This contains authentication, authorization and audit software.

• Device Hardening: This handles change management and restrictive access.

I'm not going to write, or rewrite a whitepaper on the subject, but you get the gist.

The point is that implementing passwords in the controllers is fine and not to be chuffed at. But this is only one electronic measure which can be implemented. You can also use FactoryTalk Security to limit lower level access users to certain features. There are of course other electronic measures, but to strengthen and compliment those, you can also use physical measures such as locking the controller port or switch ports. Locking the cabinet/enclosure. Locking the room or area if feasible, and on and on.

In other words, do not rule out or discount simple measures by just looking at their effectiveness with a singular mindset. Consider multiple measures and the cumulative effect they may have in securing your ICS to an adequate level.

Regards,
George
 
Last edited:

Similar Topics

T
Cyber Security question about Safety PLC programs
Hi all, Searching the site, this is the newest/closest to my question thread I found on safety PLCs, editing the safety task, etc...
Replies
10
Views
3,940
cardosocea
C
B
Limit PLC Access FactoryTalk Security vs Service Edition
I am trying to evaluate the differences between using FactoryTalk Security and the Service Edition of Rockwell software to limit access to edit...
Replies
3
Views
2,250
PreLC
P
I
Security issues with PLC, Servo, HIM software
Has anyone on this site used the Automation Direct Sure Servo software? It is Sure servo Pro. Reason i ask is now the company i have been working...
Replies
2
Views
2,809
Saffa
S
C
AB Controllogix PLC to PLC security
Happy new year all I have several PLC’s that I need to pass data between, but don’t want anyone to be able to reach another PLC with programming...
Replies
3
Views
2,043
504bloke
504bloke
G
What to do when you find others PLC/SCADA internet security breach?
I need an advice. I was doing some check of my previous projects for internet penetration, and I have found out that there are a lot of...
Replies
10
Views
3,074
V0N_hydro
V
Back
Top Bottom