Security Resides in PLC Run Mode
Gary Parr | March 17, 2023
Leaving a PLC in Program or Remote is maintenance efficient but not worth the risk.
By Steve Mustard, CEO, National Automation Inc., and Marco Ayala, Global Director ICS Security, 1898 & Co.
Organizations have adapted their networks and infrastructure to improve performance. Efforts include integrating automation systems with business systems, supporting online condition monitoring, and providing remote expert access for troubleshooting. These, however, have increased the threat of a catastrophic cybersecurity incident.
Today there’s a whole industry dedicated to reducing cybersecurity risk including standards, guidelines, frameworks, tools, and subject-matter experts. Ultimately the organization owns the risk and is best placed to manage it.
ISA/IEC62443, the only consensus-based international standard for industrial-automation and control- systems cybersecurity, is a comprehensive roadmap for organizations to effectively manage their industrial cybersecurity risk, but there is no silver bullet. Like safety, cybersecurity requires constant vigilance, especially when it comes to seemingly trivial issues. ISA/IEC62443 lays out a plan, but the success of that plan is in the hands of the plant-management team.
One of the simplest examples of this vigilance is the PLC or controller key switch. This physical key can have different modes depending on the manufacturer, but there are at least two modes that are common to such devices: Program and Run. A third, Remote, is often present. In Run mode, the PLC or controller cannot be modified locally or remotely over the network. In Program mode, the device can be modified. Remote mode usually allows the programmer to change the status of the device remotely.
The ISA Global Cybersecurity Alliance, which sponsors the PLC Security Top 20 List (plc-security.com/index.html), recommends that operators “keep the PLC in Run mode. If PLCs are not in Run mode, there should be an alarm to the operators.”
The key switch is the most effective means to prevent unauthorized modification of critical PLC or controller code. Despite this, the key is routinely left in the Program or Remote position because it is convenient for the maintenance team. The rationale for this approach is that it eliminates productivity loss that results from walking up to the device with the key, changing position, walking back to the workstation, making changes, and then restoring the key position and removing the key. While this is true, it overlooks the potential loss of productivity involved in a cybersecurity incident caused by unauthorized modification of the PLC or controller.
There are many more examples of productivity savings creating cybersecurity vulnerabilities to be found in a typical operational environment. How confident are you that your cybersecurity vulnerabilities are being managed in a vigilant manner? EP
Steve Mustard serves as the president of National Automation Inc., Spring, TX and served as the 2021 president of the International Society of Automation (ISA) https://www.isa.org. Steve works with companies to improve their performance through the identification of process bottlenecks and the intelligent introduction of technology to remove them.
Marco Ayala is the director and ICS cybersecurity section lead at 1898 & Co. (part of Burns & McDonnell), Kansas City, MO, and the International Society of Automation (ISA) Vice President for Automation and Technology for 2023. He is active in cybersecurity efforts for the oil and gas, maritime port, offshore facilities, and chemical sectors, working alongside federal, local, and state entities for securing the private sector.