#18 PLC Best Practices – Store PLC Hard Stop Events from Faults

Store PLC hard stop events from faults or shutdowns for retrieval by HMI alarm systems to consult before PLC restarts. Time sync for more accurate data.

Security ObjectiveTarget Group
MonitoringIntegration / Maintenance Service Provider

PLC Hard Stop Events

Fault events indicate why a PLC shut down so that the issue can be addressed before a restart.

Some PLCs may have error codes from the last case where the PLC faulted or shut down improperly. Record those errors and then clear them. It might be a good idea to report those errors to the HMI as informational data or perhaps to a sys-log server if those features and that infrastructure exist.

Most PLCs also have some kind of first scan feature that generates events. It is a behavior that nearly all PLC equipment have in some form. It is basically one or more flags, or a designated routine that is executed on the first scan of a PLC after it “wakes up.” This First Scan should be logged and tracked.

Why?

Beneficial for…?Why?
  SecurityLogs enable troubleshooting in case of an incident.

Before a PLC becomes operational, especially after having experienced problems, it is important to ensure it is trustworthy.
  ReliabilityLogs are also good sources for debugging if the event was not caused maliciously.
Maintenance/

References

Standard/frameworkMapping
MITRE ATT&CK ICSTactic:  TA009 – Inhibit Response Function
Technique: T0816 – Device Restart/Shutdown
ISA 62443-3-3SR 7.6: Network and security configuration settings
ISA 62443-4-2CR 7.6: Network and security configuration settings
MITRE CWECWE-778: Insufficient Logging

Source: PLC Security

Share With Your Friends

Leave a Comment

#18 PLC Best Practices - Store PLC Hard Stop Events from Faults

Send this to a friend