#13 PLC Best Practices – Disable Unused Communication Ports

Disable unused communication ports and protocols that are not required in PLC controllers and network interface modules.

Editorial Staff
PLC Tutorials
No Comments
3 Min Read

PLC controllers and network interface modules generally support multiple communication protocols that are enabled by default. Disable ports and protocols that are not required for the application.

Contents
Security ObjectiveTarget Group
HardeningIntegration / Maintenance Service Provider

Disable Unused Communication Ports in PLC

Common protocols usually enabled by default are e.g., HTTP, HTTPS, SNMP, Telnet, FTP, MODBUS, PROFIBUS, EtherNet/IP, ICMP, etc.

The best practice is to develop a data flow diagram that depicts the required communications between the PLC and other components in the system.

The data flow diagram should show both the physical ports on the PLC as well as the logical networks they are connected to. For each physical port, a list of required network protocols should be identified and all others disabled.

memory types in siemens plc

Example

For example, many PLCs include an embedded web server for maintenance and troubleshooting. If this feature will not be used, if possible, it should be disabled as this could be an attack vector.

Why?

Beneficial for…?Why?
  SecurityEvery enabled port and protocol adds to the PLC’s potential attack surface. The easiest way to make sure an attacker can’t use them for unauthorized communication is to disable them altogether.
    ReliabilityIf a PLC cannot communicate via a certain port or protocol, this also reduces the potential amount of (malformed) traffic, be it malicious or not, which decreases the chances of the PLC crashing because of unintended/malformed communication packages.
  MaintenanceDisabling unused ports and protocols also facilitate maintenance, because it reduces the PLC’s overall complexity. What’s not there does not need to be administrated or updated.

References

Standard/frameworkMapping
MITRE ATT&CK for ICSTactic:  TA005 – Discovery
Technique:  T0808 – Control Device Identification,  T0841 – Network Service Scanning,  T0854 – Serial Connection Enumeration
ISA 62443-3-3SR 7.6: Network and security configuration settings
SR 7.7: Least functionality
ISA 62443-4-2EDR 2.13: Use of physical diagnostic and test interfaces
ISA 62443-4-1SD-4: Secure design best practices
SI-1: Security implementation review
SVV-1: Security requirements testing

Source: PLC Security

Don't Miss Our Updates
Be the first to get exclusive content straight to your email.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address

Continue Reading

Face Mask Making Machine using PLC and HMI
Types of Expressions in the SCL Language of the Tia Portal
Complex Car Parking Logic in XG5000 LS Electric PLC
Schneider Electric PLC Timer Problem: Vacuum Cleaner
PLC Ladder Logic for Tanks Filling as per Priority
Automation System for Hazardous Environments
Share This Article
Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected

Categories

Explore More

SCADA Hardware and Software
PLC Light Sequence Control using Bit Shift Registers
User Defined Data Types (UDT) – Purpose, Need, Tutorial
PLC SCADA Engineers Interview Questions and Answers
PLC Analog I/O and Network I/O
PLC Programming for Sequential Batch Mixing System
What is Interface Module in Siemens PLC?
Compare Two Offline PLC Projects

Keep Learning

Learn More