Inst ToolsInst ToolsInst Tools
  • Courses
  • Automation
    • PLC
    • Control System
    • Safety System
    • Communication
    • Fire & Gas System
  • Instrumentation
    • Design
    • Pressure
    • Temperature
    • Flow
    • Level
    • Vibration
    • Analyzer
    • Control Valve
    • Switch
    • Calibration
    • Erection & Commissioning
  • Interview
    • Instrumentation
    • Electrical
    • Electronics
    • Practical
  • Q&A
    • Instrumentation
    • Control System
    • Electrical
    • Electronics
    • Analog Electronics
    • Digital Electronics
    • Power Electronics
    • Microprocessor
  • Request
Search
  • Books
  • Software
  • Projects
  • Process
  • Tools
  • Basics
  • Formula
  • Power Plant
  • Root Cause Analysis
  • Electrical Basics
  • Animation
  • Standards
  • 4-20 mA Course
  • Siemens PLC Course
Reading: #14 PLC Best Practices – Restrict Third-party Data Interfaces
Share
Notification Show More
Font ResizerAa
Inst ToolsInst Tools
Font ResizerAa
  • Courses
  • Design
  • PLC
  • Interview
  • Control System
Search
  • Courses
  • Automation
    • PLC
    • Control System
    • Safety System
    • Communication
    • Fire & Gas System
  • Instrumentation
    • Design
    • Pressure
    • Temperature
    • Flow
    • Level
    • Vibration
    • Analyzer
    • Control Valve
    • Switch
    • Calibration
    • Erection & Commissioning
  • Interview
    • Instrumentation
    • Electrical
    • Electronics
    • Practical
  • Q&A
    • Instrumentation
    • Control System
    • Electrical
    • Electronics
    • Analog Electronics
    • Digital Electronics
    • Power Electronics
    • Microprocessor
  • Request
Follow US
All rights reserved. Reproduction in whole or in part without written permission is prohibited.
Inst Tools > Blog > PLC Tutorials > #14 PLC Best Practices – Restrict Third-party Data Interfaces

#14 PLC Best Practices – Restrict Third-party Data Interfaces

Restrict the type of PLC connections and available data for third-party data interfaces in a programmable logic controller,

Last updated: September 22, 2021 5:50 pm
Editorial Staff
PLC Tutorials
No Comments
Share
5 Min Read
SHARE

Restrict the type of connections and available data for 3rd party interfaces. The connections and/or data interfaces should be well defined and restricted to only allow read/write capabilities for the required data transfer.

Contents
Restrict Third-party Data Interfaces in PLCExample
Security ObjectiveTarget Group
HardeningIntegration / Maintenance Service Provider

Restrict Third-party Data Interfaces in PLC

In some cases, due to long cable runs or a large exchange of data, interfaced data connections present a better business case than hard-wired data exchange between two separate parties.

The following guidelines should be considered and followed where practical when designing and implementing a third-party data exchange interface:

Use a dedicated communications module, either directly connected to the 3rd party PLC or data exchange equipment or use dedicated network equipment physically segregated from each party’s core network.

The MAC address of connected devices is typically available in system variables for any ICS Ethernet-enabled device, making it possible to verify device identity with a multi-factor approach (IP address + MAC maker code = trusted device).

This practice is certainly not fool-proof, as MAC & IP addresses can be spoofed, but it serves to raise the bar in terms of communications between trusted ICS systems and devices.

When selecting a protocol for 3rd party interfaces, choose a protocol which minimizes the ability of the third party to write data to the owner’s system.

Choose a connection method and connection port which prevents the 3rd party from being able to configure the owner’s PLC or data exchange equipment.

The third-party should not be able to read or write to any data that has not been explicitly defined and made available.

 Use a watchdog timer for monitoring communication so that commands are not sent to a PLC in fault mode.

Serial Connection: Use a dedicated communication module for each 3rd party interface with a restricted array of data. Ensure the owner’s side of the connection is the Initiator and that the third party is the Responder.

Ethernet/IP: Some PLCs allow for communication modules to function as a firewall and can perform Deep Packet Inspection (DPI), or restrict communication module interfaces to limit the data exchange to a predefined subset. If these features are available, and an Ethernet/IP protocol is in use, ensure the features are enabled and configured.

When operational or contractual requirements prevent the owner from accomplishing the previous items, consider using a separate “data concentrator” (aka proxy/DMZ) PLC in order to buffer the data and protect the owner from unwanted writes/programming from the 3rd party. Ensure the backplane of this PLC cannot be traversed from the 3rd party network.

Types of PLC

Example

Pipeline or Lease Automatic Custody Transfer (LACT) units which transfer and meter hydrocarbons or water exchanged between an upstream producing or pipeline company and a midstream pipeline company with network or serial interfaced connections sharing metering, state, and permissive information between companies.

Regional potable water purveyor (importer) sharing turnout water flow rate being delivered to a local municipality’s water plant.

Why?

Beneficial for…?Why?
  Security1. Limit the exposure to 3rd party networks and equipment.

2. Authenticate external devices to prevent spoofing.
  ReliabilityLimits the ability for intentional or unintentional modifications or access from 3rd party locations or equipment.
Maintenance 

References

Standard/frameworkMapping
  MITRE ATT&CK ICSTactic:  TA010 – Impair Process Control
Technique:  T0836 – Modify Parameter
  ISA 62443-3-3SR 7.6: Network and security configuration settings
SR 7.7: Least functionality
  ISA 62443-4-2CR 7.6: Network and security configuration settings
CR 7.7: Least functionality
  ISA 62443-4-1SD-4: Secure design best practices
SI-1: Security implementation review
SVV-1: Security requirements testing

Source: PLC Security

Don't Miss Our Updates
Be the first to get exclusive content straight to your email.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address
You've successfully subscribed !

Continue Reading

PLC Program for Motor Starter
Edge Detection in PLC Programming
Tia Portal – OB10 Time of Day Interrupt Organization Block
How to Use ModScan Software for Testing Modbus Communication?
Flexible Input Output Modules
Auto Sugar Bag Filling Station
Share This Article
Facebook Whatsapp Whatsapp LinkedIn Copy Link
Share
Leave a Comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Stay Connected

128.3kFollowersLike
69.1kFollowersFollow
210kSubscribersSubscribe
38kFollowersFollow

Categories

Explore More

PLC Programming Example with Pushbutton and Motor
Difference between DCS & PLC Systems
Create Ladder Diagram from Boolean Logic
Free Omron PLC Programming Course in HINDI
PLC Crane Movement Control with Limit Switches
Tank Filling and Emptying using Intouch Scada Script
Value Assignments in SCL Language – Single, Multiple, Combined
PLC Power Supply and Operating Voltages

Keep Learning

Redundant Power Supply

How Does Redundant Power Supply Work?

CODESYS HMI Interface

CODESYS HMI Interface

Data Handling Instructions in PLC Programming

Data Handling Instructions in PLC Programming

PLC Load Memory

What is Resources Tab in the Siemens PLC?

How-to do Security of SCADA Systems

How-to do Security of SCADA Systems?

Data Types in PLC

Data Types in PLC – Bit, Byte, Integer, Real, String

SFC Language in PLC Programming

SFC Language in PLC Programming

PLC Program for Solenoid, Pilot Lamp, and Switch with Alarm

PLC Program for Solenoid, Pilot Lamp, and Switch with Alarm

Learn More

Piping and Instrument Drawing

Difference between PFD and P&ID with Example

Time Interval Measurement Objective Questions

Time Interval Measurement Objective Questions

Yokogawa differential pressure transmitter

Basics of Differential Pressure Transmitters

Bipolar Junction Transistor Construction

Bipolar Junction Transistor Construction

Configure Analog Inputs and Outputs in Delta PLC

How to Configure Analog Inputs and Outputs in Delta PLC?

Difference between KW and KVA

Difference between KW and KVA

interview-questions-and-answers-on-natural-gas

Oil and Gas Interview Questions Answers

How to Activate the Schneider PLC Software License

How to Download EcoStruxure Machine Expert? Schneider PLC Software

Menu

  • About
  • Privacy Policy
  • Copyright

Quick Links

  • Learn PLC
  • Helping Hand
  • Part Time Job

YouTube Subscribe

Follow US
All rights reserved. Reproduction in whole or in part without written permission is prohibited.
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?