Considered the "brain" of industrial automation, programmable logic controllers (PLCs) are an important factor in industrial control systems (ICS), especially for critical infrastructure in the public sector. PLCs are an industrial computer used to control automated devices in a variety of industries, including industrial manufacturing and critical infrastructure. This article offers suggestions for PLC security risks, as well as cybersecurity standards for risk mitigation.
What is a programmable logic controller?
Programmable logic controllers provide the logical functions for automated tasks in industrial processes. An engineer will program a series of instructions and functions for the controller, which will then follow that sequence of instructions, outputting controls to other devices. This method removes human interference for consistent tasks that can be automated in industrial automation and critical infrastructure environments. PLCs are very useful for managing automation systems with a customizable solution because an engineer manages the PLC and the PLC manages other machines.
Since PLCs are commonly used for computerized management in industrial settings, the implementation and maintenance must be considered during any risk assessment to ensure that the controller functions as expected. Without proper training or security precautions, the PLC could perform unexpected functions or behave in unauthorized ways. For example, excessive network traffic caused a PLC to stop responding at a power station in 2006. As a result of the PLC response failure, multiple recirculation pumps became non-responsive.
Attacks on PLCs that support critical infrastructure could be prioritized by hackers or government-supported advanced persistent threat actors. The Stuxnet worm of 2010 specifically targeted PLCs in supervisory control and data acquisition (SCADA) systems, exploiting security vulnerabilities and causing overperformance to damage centrifuges in Iran managed by PLCs. The malicious code inserted into the PLC illustrates the extent of damage that can occur if security measures are not prioritized in PLC and SCADA systems.
PLCs are a critical component for public infrastructure like water treatment plants and nuclear power plants (in addition to industrial manufacturing), so appropriate implementation follows the standards set to ensure safe and secure use.
Cybersecurity standards for PLCs
To improve the safety and security when using programmable logic controllers, you can follow the recommendations set out in regulatory guidance IEC/ISA 62443 and NIST Special Publication 800-82.
The International Society of Automation (ISA) and the International Electrotechnical Commission (IEC) worked together to develop a set of standards around the security for industrial automation and control systems. IEC/ISA 62443 provides a series of standards defining security requirements for cybersecurity resilience in the ICS ecosystem. These standards state the operator of the ICS equipment is the asset owner for the corresponding security program. As such, that person must collaborate with suppliers, service providers, and the organization's internal security personnel to ensure a secure and functional system. IEC/ISA 62443-3-2 defines risk assessment requirements, such as the specification of zones and conduits, and 62443-3-3 system security requirements. Any PLCs in use among an ICS would be considered among the grouping of physical assets that comprise a zone. Determining zone partition and network segmentation is a critical task for pre-assessment activities as those zones enable threat modeling in 62443-4-1. UpGuard offers a questionnaire template for ISA/IEC 62443-3-3.
The US National Institute of Standards and Technology (NIST) also provides guidance for securing operational technology in Special Publication 800-82 (often referred to as NIST SP 800-82). Revision 3 (Rev. 3) is the most recent iteration of the document, which expanded the scope from industrial control systems to operational technology more broadly. To ensure that technology functions as expected, a worker or set of workers will program the controller with any necessary parameters that will manage the specific process for a piece of equipment. Programmable logic controllers are used across a variety of operational technologies, so NIST SP 800-82r3 provides recommendations for operational technology cybersecurity programs that can help to keep your PLC program aligned to the best practices for security management, such as a stateful firewall between the PLC and the control center.
In addition to following regulatory guidance for PLCS and other technology used in industrial control systems, you can implement cybersecurity practices that minimize risk exposure and cyber threats.
How to manage PLC risk
Whether you're the maintenance engineer or a security analyst, you can work as a team to manage risk exposure due to the programmable logic controllers in your system. The following activities aid your risk exposure and threat maintenance needs related to PLCs:
- Asset inventory: Identify all your organization's field devices, such as PLCs, sensors, and other remote terminal units. Document their significant details, including the model number, firmware configuration, communication protocols in effect, network connections, programmed functions, and the date of last service or update.
- Threat analysis: Assess any weaknesses in your network infrastructure. Proactive identification of PLC vulnerabilities can help you plan for any potential attacks. Review historical cyberattacks on PLCs and other automated equipment, and update your incident response plan to account for issues like denial-of-service attacks, malware injection, data exfiltration, or insider sabotage.
- Vulnerability management: In combination with your threat intelligence program, you can perform recurring vulnerability management to identify weaknesses in your software, hardware, network, and policies. If you perform penetration testing on your infrastructure, include the PLCs in the scope for performance assessment.
In addition to these actions, you can implement security controls to limit access to the PLCs. Your control center should be set with physical access control parameters so only those authorized to manage settings and update the PLC can access the control center. Any physical and remote access to these devices should likewise require authentication to protect against unauthorized manipulation of the commands. Implement the principle of least functionality so that the PLC configuration allows only essential functions and services. Any network ports that are not required for proper operation should be closed.
Alongside developing an incident response plan, plan for offsite backups for any logic and configuration in your PLCs. Test the restoration process to ensure that you can maintain continuous performance in the event that you need to restore from the backup.
How UpGuard can help
With UpGuard, you can perform continuous monitoring for your external attack surface with BreachSight and for your third-party vendor ecosystem with Vendor Risk. UpGuard scanning includes techniques that use standardized and publicly accessible network-based protocols to query hosts across a variety of categories. UpGuard's scanning process identifies the following PLC ports that should be reviewed:
- 'GE SRTP Status' port open
- 'Mitsubishi EQ PLC' port open
- 'Modbus' port open
- 'Omron PLC' port open
- 'PLC5' port open
- 'PLC ProConOs' port open
- 'S7' port open
- 'Unitronics PLC PCOM' port open
The General Electric Service Request Transport Protocol (GE-SRPT) provides data transfer between devices over Ethernet, including PLCs monitoring real-time transport statuses. This protocol often uses port [.rt-script]6262[.rt-script] or [.rt-script]6263[.rt-script] to establish connections with the network controller. It should be inaccessible by the public internet.
Mitsubishi Electric offers a selection of programmable logic controllers, including the Electric Q (EQ) series. The default port number used by Mitsubishi EQ is [.rt-script]5000[.rt-script], though Mitsubishi PLCs are also vulnerable to attacks sent over port [.rt-script]5007[.rt-script].
A compromised Omron controller can disrupt operations, damage equipment, and create safety risk for workers in industrial settings. To protect the control logic and production data, close the port in use (TCP port [.rt-script]102[.rt-script] by default) and require VPN authentication for anyone who needs to access the controller.
Rockwell Automation's PLC5 reached its end-of-life support in 2016. If you still use PLC5, consider a migration plan with maintenance support. Newer Rockwell PLCs use port [.rt-script]44818[.rt-script], whereas some older models used port [.rt-script]2222[.rt-script].
ProConOS offers a high-performance run-time engine for PLCs that also uses port [.rt-script]44818[.rt-script].
The S7 PLC from Siemens facilitates communications in production manufacturing, industrial automation, building management, and power services. Siemens S7 protocol uses port [.rt-script]102[.rt-script]. Some of the Siemens PLC S7 series will be discontinued in the near future. Ensure that your PLCs and their operating systems are still functioning and have a long support lifecycle remaining.
Unitronics PLCs include an integrated human-machine interface (HMI), using the PCOM protocol for device communications. Unitronics PLCs use ports [.rt-script]20256[.rt-script] and [.rt-script]20257[.rt-script].
Current UpGuard users can access their Risk Profile in BreachSight to assess whether any of the PLC port findings referenced in this article introduce security threats to your organization's assets. You can also review other security issues, including database ports, WordPress plugins, LDAP ports, and file transfer ports.
