Log PLC uptime to know when it’s been restarted. Trend and log uptime on the HMI for diagnostics.
| Security Objective | Target Group |
| Monitoring | Integration / Maintenance Service Provider |
Log PLC Uptime
Keep track of programmable logic controller uptime
- in the PLC itself (if uptime is a system variable in the PLC)
- in the PLC itself if it has MIB-2 / any SNMP implementation
- externally by means of e.g., SNMP
If the PLC has SNMP with MIB-2, which is very common, the OID for uptime “sysUpTimeInstance(0)” is 1.3.6.1.2.1.1.3.
Uptime resets are important indicators for PLC restarts. Make sure the HMI alerts to any sort of PLC restart.
Uptime correlated with error codes are good diagnostics.
Example
/
Why?
| Beneficial for…? | Why? |
| Security | The most basic attack vector for a PLC is to force it to crash and/or restart. For many PLCs, it is not that hard to do, because many PLCs cannot cope well with unexpected inputs or too much traffic. Thus, unexpected restarts can be an indicator that the PLC encounters unusual actions. |
| Reliability | PLC restarts are also good for diagnostics in case of failures and for monitoring which PLCs are being worked on at what time. |
| Maintenance | / |
References
| Standard/framework | Mapping |
| MITRE ATT&CK ICS | Tactic: TA009 – Inhibit Response Function Technique: T0816 – Device Restart/Shutdown |
| ISA 62443-3-3 | SR 7.6: Network and security configuration settings |
| ISA 62443-4-2 | CR 7.6: Network and security configuration settings |
| MITRE CWE | CWE-778: Insufficient Logging |
Source: PLC Security
