Track PLC operating modes – Keep the PLC in RUN mode. If PLCs are not in RUN mode, there should be an alarm to the operators.
| Security Objective | Target Group |
| The integrity of PLC logic | Integration / Maintenance Service Provider / Asset Owner |
Track PLC Operating Modes
If PLCs are not in RUN mode (e.g., PROGRAM mode), their code could be changed to track the RUN mode. Some PLCs have a checksum to alert for code changes, but if they do not, there’s at least an indirect indicator of a potential issue while tracking operating modes:
If PLCs are not in RUN mode, there should be an alarm to the operators. If they are aware that someone is supposed to be working on that control system, they can acknowledge the alarm and move on.
The HMI should be configured to re-alert the operator toward the end of the shift about the presence of the alarm. The goal should be to keep track of any staff or contractors in the plant doing work that might impact the process.
Exception Case
If the plant is in a testing or development phase, consider disabling this alarm but the plant should be isolated from higher levels of the network.
Example
If the PLC does not have a hardware switch for changing operating modes, it is recommended to at least make use of software mechanisms that can restrict changing PLC code.
e.g., password protection in engineering software for reading and writing PLC code.
Why?
| Beneficial for…? | Why? |
| Security | The operating mode (run / edit / write; for Allen Bradley PLCs: RUN / PROGram / REMote) determines if PLC can be tampered with. If the key- switch is in the REMote state, it is technically possible to make changes to the PLC program over the communication interfaces even if the PLC is running. |
| Reliability | / |
| Maintenance | / |
References
| Standard / framework | Mapping |
|---|---|
| MITRE ATT&CK for ICS | Tactic: TA009 – Inhibit Response Function Technique: T0858 – Utilize/Change Operating Mode |
| ISA/IEC 62443-4-1 | SI-1 : Security implementation review |
Source: PLC Security