Inst ToolsInst ToolsInst Tools
  • Courses
  • Automation
    • PLC
    • Control System
    • Safety System
    • Communication
    • Fire & Gas System
  • Instrumentation
    • Design
    • Pressure
    • Temperature
    • Flow
    • Level
    • Vibration
    • Analyzer
    • Control Valve
    • Switch
    • Calibration
    • Erection & Commissioning
  • Interview
    • Instrumentation
    • Electrical
    • Electronics
    • Practical
  • Q&A
    • Instrumentation
    • Control System
    • Electrical
    • Electronics
    • Analog Electronics
    • Digital Electronics
    • Power Electronics
    • Microprocessor
  • Request
Search
  • Books
  • Software
  • Projects
  • Process
  • Tools
  • Basics
  • Formula
  • Power Plant
  • Root Cause Analysis
  • Electrical Basics
  • Animation
  • Standards
  • 4-20 mA Course
  • Siemens PLC Course
Reading: #14 PLC Best Practices – Restrict Third-party Data Interfaces
Share
Font ResizerAa
Inst ToolsInst Tools
Font ResizerAa
  • Courses
  • Design
  • PLC
  • Interview
  • Control System
Search
  • Courses
  • Automation
    • PLC
    • Control System
    • Safety System
    • Communication
    • Fire & Gas System
  • Instrumentation
    • Design
    • Pressure
    • Temperature
    • Flow
    • Level
    • Vibration
    • Analyzer
    • Control Valve
    • Switch
    • Calibration
    • Erection & Commissioning
  • Interview
    • Instrumentation
    • Electrical
    • Electronics
    • Practical
  • Q&A
    • Instrumentation
    • Control System
    • Electrical
    • Electronics
    • Analog Electronics
    • Digital Electronics
    • Power Electronics
    • Microprocessor
  • Request
Follow US
All rights reserved. Reproduction in whole or in part without written permission is prohibited.
Inst Tools > Blog > PLC Tutorials > #14 PLC Best Practices – Restrict Third-party Data Interfaces

#14 PLC Best Practices – Restrict Third-party Data Interfaces

Restrict the type of PLC connections and available data for third-party data interfaces in a programmable logic controller,

Last updated: September 22, 2021 5:50 pm
Editorial Staff
PLC Tutorials
No Comments
Share
5 Min Read
SHARE

Restrict the type of connections and available data for 3rd party interfaces. The connections and/or data interfaces should be well defined and restricted to only allow read/write capabilities for the required data transfer.

Contents
Restrict Third-party Data Interfaces in PLCExample
Security ObjectiveTarget Group
HardeningIntegration / Maintenance Service Provider

Restrict Third-party Data Interfaces in PLC

In some cases, due to long cable runs or a large exchange of data, interfaced data connections present a better business case than hard-wired data exchange between two separate parties.

The following guidelines should be considered and followed where practical when designing and implementing a third-party data exchange interface:

Use a dedicated communications module, either directly connected to the 3rd party PLC or data exchange equipment or use dedicated network equipment physically segregated from each party’s core network.

The MAC address of connected devices is typically available in system variables for any ICS Ethernet-enabled device, making it possible to verify device identity with a multi-factor approach (IP address + MAC maker code = trusted device).

This practice is certainly not fool-proof, as MAC & IP addresses can be spoofed, but it serves to raise the bar in terms of communications between trusted ICS systems and devices.

When selecting a protocol for 3rd party interfaces, choose a protocol which minimizes the ability of the third party to write data to the owner’s system.

Choose a connection method and connection port which prevents the 3rd party from being able to configure the owner’s PLC or data exchange equipment.

The third-party should not be able to read or write to any data that has not been explicitly defined and made available.

 Use a watchdog timer for monitoring communication so that commands are not sent to a PLC in fault mode.

Serial Connection: Use a dedicated communication module for each 3rd party interface with a restricted array of data. Ensure the owner’s side of the connection is the Initiator and that the third party is the Responder.

Ethernet/IP: Some PLCs allow for communication modules to function as a firewall and can perform Deep Packet Inspection (DPI), or restrict communication module interfaces to limit the data exchange to a predefined subset. If these features are available, and an Ethernet/IP protocol is in use, ensure the features are enabled and configured.

When operational or contractual requirements prevent the owner from accomplishing the previous items, consider using a separate “data concentrator” (aka proxy/DMZ) PLC in order to buffer the data and protect the owner from unwanted writes/programming from the 3rd party. Ensure the backplane of this PLC cannot be traversed from the 3rd party network.

Types of PLC

Example

Pipeline or Lease Automatic Custody Transfer (LACT) units which transfer and meter hydrocarbons or water exchanged between an upstream producing or pipeline company and a midstream pipeline company with network or serial interfaced connections sharing metering, state, and permissive information between companies.

Regional potable water purveyor (importer) sharing turnout water flow rate being delivered to a local municipality’s water plant.

Why?

Beneficial for…?Why?
  Security1. Limit the exposure to 3rd party networks and equipment.

2. Authenticate external devices to prevent spoofing.
  ReliabilityLimits the ability for intentional or unintentional modifications or access from 3rd party locations or equipment.
Maintenance 

References

Standard/frameworkMapping
  MITRE ATT&CK ICSTactic:  TA010 – Impair Process Control
Technique:  T0836 – Modify Parameter
  ISA 62443-3-3SR 7.6: Network and security configuration settings
SR 7.7: Least functionality
  ISA 62443-4-2CR 7.6: Network and security configuration settings
CR 7.7: Least functionality
  ISA 62443-4-1SD-4: Secure design best practices
SI-1: Security implementation review
SVV-1: Security requirements testing

Source: PLC Security

Don't Miss Our Updates
Be the first to get exclusive content straight to your email.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address
You've successfully subscribed !

Continue Reading

Structured Text PLC Program for Measuring Event Duration
Push button Motor PLC Logic
PLC Data Comparison Instructions
Schneider Electric PLC Timer Problem: Vacuum Cleaner
Typical HMI Screen Design for Water Treatment Plant
Seven Segment Display Programming with Structured Text
Share This Article
Facebook Whatsapp Whatsapp LinkedIn Copy Link
Share
Leave a Comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Stay Connected

128.3kFollowersLike
69.1kFollowersFollow
210kSubscribersSubscribe
38kFollowersFollow

Categories

Explore More

Top 100+ SCADA Questions
What is a Wet Contact? – Basics of PLC Wiring
PLC Programming Example for a Batch Process
Communication between Wincc and Tia Portal
Industrial Oven Control Application with PLC Controller
Up Counter PLC Program
Types of Allen Bradley PLC
What is SCADA System?

Keep Learning

Difference Between PLC and CNC Machine

Difference Between PLC and CNC Machine

PLC Program to Count and Pack Parts from conveyor

Count and Pack Objects from Conveyor using PLC Ladder Logic

Free WinCC SCADA Training Course

Free SCADA Training Course

Causes of PLC Stop Mode

Various Causes for PLC Going in Stop Mode

How to Delay a Sensor Signal in PLC?

How to Delay a Sensor Signal in PLC?

Run 4 Motors Sequentially from Same Push button PLC Program

Run 4 Motors Sequentially from Same Push button PLC Program

PLC analog output card

PLC Analog I/O and Network I/O

PLC Program for Washing Machine

PLC Program for Washing Machine

Learn More

Instrumentation Engineering Materials Test

Instrumentation Engineering Materials Test

Purge Type Level Transmitter

Purge Type Level Transmitter Questions

Basic Pneumatic System

Introduction to Fluid Power and Pneumatics

full-wave-bridge-rectifier-with-voltage-regulator

Basics of Voltage Regulators

Temperature Measurement Objective Questions

Temperature Measurement Objective Questions

Faceplate in WinCC

Siemens HMI Training – Using UDTs with Faceplates

Direct & reverse actions control valve

Direct Acting Control Valves & Reverse Acting Control Valves

Digital Electronics Multiple Choice Questions

Random Access Memory Objective Questions – Part 4

Menu

  • About
  • Privacy Policy
  • Copyright

Quick Links

  • Learn PLC
  • Helping Hand
  • Part Time Job

YouTube Subscribe

Follow US
All rights reserved. Reproduction in whole or in part without written permission is prohibited.
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?