Store PLC hard stop events from faults or shutdowns for retrieval by HMI alarm systems to consult before PLC restarts. Time sync for more accurate data.
|Security Objective||Target Group|
|Monitoring||Integration / Maintenance Service Provider|
PLC Hard Stop Events
Fault events indicate why a PLC shut down so that the issue can be addressed before a restart.
Some PLCs may have error codes from the last case where the PLC faulted or shut down improperly. Record those errors and then clear them. It might be a good idea to report those errors to the HMI as informational data or perhaps to a sys-log server if those features and that infrastructure exist.
Most PLCs also have some kind of first scan feature that generates events. It is a behavior that nearly all PLC equipment have in some form. It is basically one or more flags, or a designated routine that is executed on the first scan of a PLC after it “wakes up.” This First Scan should be logged and tracked.
|Security||Logs enable troubleshooting in case of an incident.|
Before a PLC becomes operational, especially after having experienced problems, it is important to ensure it is trustworthy.
|Reliability||Logs are also good sources for debugging if the event was not caused maliciously.|
|MITRE ATT&CK ICS||Tactic: TA009 – Inhibit Response Function |
Technique: T0816 – Device Restart/Shutdown
|ISA 62443-3-3||SR 7.6: Network and security configuration settings|
|ISA 62443-4-2||CR 7.6: Network and security configuration settings|
|MITRE CWE||CWE-778: Insufficient Logging|
Source: PLC Security