#20 PLC Best Practices – Identify Critical Alerts

Identify PLC critical alerts and program a trap to monitor the trigger conditions and the alert state for any deviation.

Editorial Staff
PLC Tutorials
No Comments
3 Min Read

Identify critical alerts and program a trap for those alerts. Set the trap to monitor the trigger conditions and the alert state for any deviation.

Contents
Security ObjectiveTarget Group
MonitoringIntegration / Maintenance Service Provider

Identify PLC Critical Alerts

In most cases, alert-states are boolean (True, False) and triggered by certain conditions as displayed below.

For example, the trigger bit for the alert ‘overpressure’ becomes TRUE, if Condition 1 ‘pressure switch 1’, Condition 2 ‘pressure sensor value over critical threshold’, through n., are TRUE.

alert-states in PLC

To masquerade an attack, an adversary could suppress the alert trigger bit and cause a false negative.

A trap for false negatives monitors the conditions for the trigger bit and the negated trigger bit itself. With this simple setup, a false negative is detected. See the following picture:

False Negative Logic in PLC

In other cases, an adversary could deliberately cause false positives, to wear down the process operator’s attention.

In the same manner of the false negative trap, false positives can also be detected by monitoring the alert trigger bit and if the trigger conditions are met. If the conditions are NOT met, but the trigger bit is active, a false positive is detected: See the following picture:

False Positive PLC Logic

Example 1

Siemens offers in their Siemens S7-1200/1500 Products a Webserver with a wide range of functions, for example, display of the PLC-State, cycle time, or scope records.

It also has the option to view and modify data tables and variables. The access rights to the Webserver can be modified in the PLC-Hardware Settings.

In case of mis-configured access rights, an adversary could gain access to the PLC Variables and Datablocks. To create a false positive, the adversary selects an alert trigger bit and alters the state.

Example 2

In the Triton/Trisys/HatMan attack, rogue code suppressed alert states.

Example 3

A bus-injection attack could send a false positive alert to a high-level SCADA client.

Why?

Beneficial for…?Why?
    SecurityMitigates false negative or false positives of critical alert messages caused by an adversary obfuscating their attack (i.e., rogue code, bus injection, tampering with accessible PLC state tables on unsecured web servers).
Reliability/
Maintenance/

References

Standard/frameworkMapping
MITRE ATT&CK ICSTactic : TA009 – Inhibit Response Function
Technique:  T0878 – Alarm Suppression
ISA 62443-3-3SR 3.5: Input Validation
ISA 62443-4-2CR 3.5: Input Validation
ISA 62443-4-1SI-1: Security implementation review
MITRE CWECWE-754: Improper Check for Unusual or Exceptional Conditions

Source: PLC Security

Don't Miss Our Updates
Be the first to get exclusive content straight to your email.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address

Continue Reading

Inside the PLC Control Panel: How Much Do You Know?
Siemens PLC Interview Questions and Answers
Identify the Problem in the PLC Program
Explaining Various Types of Analog Instruments
Basic PLC Exercise on Heater and Cooler for Students
PLC Timer Instructions
Share This Article
Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected

Categories

Explore More

What is a Tag? Types of Tags in SCADA
PLC Program for Controlling Sequence of Conveyors with Interlock
FC Function in Siemens PLC
Communication Processor Module in Siemens PLC
Seven Segment Display Programming with Structured Text
Scaling with Parameters (SCP) Instruction in PLC
How to Choose a PLC for New Project? – Criteria for Selection of PLC
ON Delay Timer using PLC

Keep Learning

Learn More