Defense in Depth: PLC Security for Manufacturing and Critical Infrastructure

Author’s Note: Our Defense In Depth series will demonstrate how over the past several years Corso Systems has helped companies implement security. The series includes relatively easy best practices like ensuring your systems are secured with user accounts, network segmentation with Firewalls to reduce the flow of traffic to only what is necessary to move between each part of your operation. We will also discuss more complex technologies such as threat detection, and backups/disaster recovery so you can get back up and running even in the worst case scenarios.

Most manufacturing and critical infrastructure systems (utilities, wastewater treatment, communications, dams, and many more) use PLCs to automate processes, control equipment, and compile the process data for running your business. Unfortunately, PLCs come from a wild-west of vendors, hardware versions, and are usually managed by non-security minded folks. This makes them a prime target for hackers and bad actors. Disrupting PLCs can wreak havoc on the people served by critical infrastructure, and can easily bring manufacturing operations to a halt.

As more control hardware is connected to the internet, it is increasingly important to make sure that your PLC systems are locked down from a security perspective. Have you seen Shodan? You can use it to find PLCs and other OT systems connected directly to the internet, in a many cases with zero protection of any kind. Ideally, zero systems would show up on Shodan, however we have a long way to go before that is a reality.

This post focuses on PLC security and fortunately there are steps any company can take to prevent malicious access to their PLC systems.

Local Access to PLCs

Preventing local access to PLCs is potentially a little more difficult, however one approach is to password protect PLC access so anyone without the right credentials can’t get into the code to see what is going on or make changes.

You can also require your panel builders to use managed switches in your panels. Far too often, we find PLC panels with an unmanaged switch with extra open ports. This allows anyone with an ethernet cable to plug into the panel and gain unfettered access to everything that the panel can see on the network.

Using managed switches allows you to lock down access on specific ports. For example, if you have a Panel PC and a PLC plugged into a switch with 5 ports, you can lock down the 3 unused ports so even if someone plugs a computer into them they won’t be able to access anything.

While managed switches are more costly and require some configuration, using them can greatly decrease your risk of a cybersecurity incident.

Remote Access

We dive more into network infrastructure in a different post, however you should be aware that remote PLC access is using firewalls and VPNs to reduce your exposure to unknown and potentially harmful network traffic. This will also keeping people out of systems they shouldn’t access.

The US Cybersecurity and Infrastructure Security Agency (CISA) has a lot of great material discussing the 5 W’s of network segmentation using firewalls and VPN access, including a great PDF of what a segmented network architecture looks like for OT networks.

Even though it will require coordinating with IT and an investment in more hardware and software, it will also massively reduce your overall exposure to the risks of an attack.

PLC Security

Another common threat is unauthorized access and changes to PLCs. Many PLCs from vendors like Allen Bradley have a PROGRAM/REMOTE/RUN switch. There is an excellent deep dive into the cybersecurity concerns about this switch on an episode of the Darknet Diaries podcast.

Basically if your PLC is is PROGRAM mode you can get into it, make changes and push them out without anyone knowing. Of course the PLC won’t be running while this is active, so you might have other indicators that something weird is going on, if this happens in your facility.

If the PLC is in REMOTE mode it is basically RUN mode plus PROGRAM mode where you can get into the PLC, make online changes, and push those out without anyone knowing. This is a very common scenario for troubleshooting a PLC code issue, or making change to support on-site work for replacing sensors, VFDs, etc.

In RUN mode, the PLC is running the logic and is effectively inaccessible from the outside world. One of the easiest things you can do to prevent bad actors from getting into your PLC is make it a habit to keep a PLC in RUN mode only. If someone needs to make changes to the code, you can then put it into REMOTE or PROGRAM, and change it back to RUN once the process is completed.

One item to note (especially for remote sites like pump stations and substations) is that you can often fully remove the key to make these changes from the PLC. For remote sites, this is especially helpful, because you can make it much more difficult for someone to gain unauthorized access to the PLC and change the key’s position if the key isn’t there in the first place.

Regarding the “push changes without anyone knowing about it” aspect, you can also use tools like AssetCentre from Rockwell, or VersionDog to automatically monitor your PLC programs, back them up, and send notifications whenever code is changed. While these tools won’t prevent someone from making changes, you will at least be aware of what is going on when it happens.

Locking down PLC code with passwords is also an easy tactic. For example, running CODESYS on Opto 22 hardware makes this a very easy task. Yes, we know a lot of integrators and OEM companies will lock down their code so you don’t have access to it. That is not what we are proposing here. Instead, we’re setting up a security conscious approach to your systems, giving access to the people who need it, and locking out the people who shouldn’t access it.

Wrapping Up

This post covers a number of steps any manufacturing or critical infrastructure company can to do better secure their PLC-based control systems. Except for using firewalls and VPNs plus managed switches, it doesn’t necessarily require any investment in hardware or software to implement these changes, and they provide a base level of protection from threats to your operations.

Adding these changes to your OT systems will add a bit of friction to the people who need access to manage them, but it will also reduce the amount of risk involved by locking out people who shouldn’t be accessing them.