PLC Tutorials

#2 PLC Best Practices – Track Operating Modes

Track PLC operating modes – Keep the PLC in RUN mode. If PLCs are not in RUN mode, there should be an alarm to the operators.

Security Objective	Target Group
The integrity of PLC logic	Integration / Maintenance Service Provider / Asset Owner

Track PLC Operating Modes

If PLCs are not in RUN mode (e.g., PROGRAM mode), their code could be changed to track the RUN mode. Some PLCs have a checksum to alert for code changes, but if they do not, there’s at least an indirect indicator of a potential issue while tracking operating modes:

If PLCs are not in RUN mode, there should be an alarm to the operators. If they are aware that someone is supposed to be working on that control system, they can acknowledge the alarm and move on.

The HMI should be configured to re-alert the operator toward the end of the shift about the presence of the alarm. The goal should be to keep track of any staff or contractors in the plant doing work that might impact the process.

Exception Case

If the plant is in a testing or development phase, consider disabling this alarm but the plant should be isolated from higher levels of the network.

Example

If the PLC does not have a hardware switch for changing operating modes, it is recommended to at least make use of software mechanisms that can restrict changing PLC code.

e.g., password protection in engineering software for reading and writing PLC code.

Why?

Beneficial for…?	Why?
Security	The operating mode (run / edit / write; for Allen Bradley PLCs: RUN / PROGram / REMote) determines if PLC can be tampered with. If the key- switch is in the REMote state, it is technically possible to make changes to the PLC program over the communication interfaces even if the PLC is running.
Reliability	/
Maintenance	/

References

Standard / framework	Mapping
MITRE ATT&CK for ICS	Tactic: TA009 – Inhibit Response Function Technique: T0858 – Utilize/Change Operating Mode
ISA/IEC 62443-4-1	SI-1 : Security implementation review