Store PLC hard stop events from faults or shutdowns for retrieval by HMI alarm systems to consult before PLC restarts. Time sync for more accurate data.
| Security Objective | Target Group |
| Monitoring | Integration / Maintenance Service Provider |
PLC Hard Stop Events
Fault events indicate why a PLC shut down so that the issue can be addressed before a restart.
Some PLCs may have error codes from the last case where the PLC faulted or shut down improperly. Record those errors and then clear them. It might be a good idea to report those errors to the HMI as informational data or perhaps to a sys-log server if those features and that infrastructure exist.
Most PLCs also have some kind of first scan feature that generates events. It is a behavior that nearly all PLC equipment have in some form. It is basically one or more flags, or a designated routine that is executed on the first scan of a PLC after it “wakes up.” This First Scan should be logged and tracked.
Why?
| Beneficial for…? | Why? |
| Security | Logs enable troubleshooting in case of an incident. Before a PLC becomes operational, especially after having experienced problems, it is important to ensure it is trustworthy. |
| Reliability | Logs are also good sources for debugging if the event was not caused maliciously. |
| Maintenance | / |
References
| Standard/framework | Mapping |
| MITRE ATT&CK ICS | Tactic: TA009 – Inhibit Response Function Technique: T0816 – Device Restart/Shutdown |
| ISA 62443-3-3 | SR 7.6: Network and security configuration settings |
| ISA 62443-4-2 | CR 7.6: Network and security configuration settings |
| MITRE CWE | CWE-778: Insufficient Logging |
Source: PLC Security
