Measure and provide a baseline for memory usage for every PLC controller deployed in the production environment and trend it on the HMI.
| Security Objective | Target Group |
| Monitoring | Integration / Maintenance Service Provider Asset Owner |
Monitor PLC Memory Usage
Since the increase of lines of code in the logic can also lead to increased memory consumption at runtime, it is recommended for PLC programmers to track any deviation from the baseline and dedicate an alarm class to this event.
Example
In Rockwell Allen Bradley PLCs, a baseline can be established on a controller and memory usage can be tracked using the RSLogix 5000 Task Monitor Tool.
Not only the main memory but also the I/O memory and Ladder/Tag memory can be tracked using trends.
Why?
| Beneficial for…? | Why? |
| Security | Increased memory usage can be an indicator of the PLC running altered code. |
| Reliability | Tracking memory usage for the running programs could be useful in avoiding total memory consumption and eventual fault state for the PLC controller. |
| Maintenance | Tracking memory usage could be used in tuning and finding the best scan time for the monitored controller but also in troubleshooting problems and issues related to faulty states. |
References
| Standard/framework | Mapping |
| MITRE ATT&CK ICS | Tactic: TA002 – Execution Technique: T0873 – Project File Infection |
| ISA 62443-3-3 | SR 3.4: Software and information integrity |
| ISA 62443-4-2 | EDR 3.2: Protection from malicious code |
Source: PLC Security