- Cet évènement est passé
Top 20 Secure PLC Coding Practices
mai 5, 2022 @ 17h00 - 18h00
*** Présentation en anglais seulement ***
Industrial Control Systems (ICS also referred to as OT or Operational Technology, consisting of SCADA, PLC, DCS etc.) have historically been insecure by design. Several years into customizing and applying best practices from IT gave rise to secure protocols, use of encryption, network segmentation & isolation etc. However, there has not been much focus on using the characteristic features in the PLCs and DCS for security, or how to code/program PLCs with security in mind. This project – inspired by existing Secure Coding Practices for IT – fills that gap. The aim of this project is to provide guidelines to engineers that are creating software (ladder logic, functional charts etc.) to help improve the security posture of Industrial Control Systems, by leveraging the natively available functionality in the PLC/DCS/SCADA. Little or no additional software tools or hardware is needed to implement these practices. They can all be fit into the normal PLC programming and operating workflow. More than security expertise, good knowledge of the PLCs to be protected, their logic, and the underlying process, is needed for implementing these practices.
Using these practices always has security benefits – mostly either reducing the attack surface or enabling faster troubleshooting if a security incident were to happen. But many practices have more benefits than “only” security. Some also make PLC code more reliable, easier to debug and maintain, easier to communicate, and potentially also leaner. Also, the secure PLC coding practices not only help users in Incident Response in the event of a malicious attack but also make PLC code more robust to withstand accidental misconfiguration or human error. Note that there were some additional practices around Power Management, I/O configuration etc. that were collected as part of the project that didn’t make it to the list as they were not coding practices, but nevertheless useful in improving the security posture. This talk will give an overview of the project and the practices. »