If you have paired signals, ensure that both signals are not asserted together. Alarm the operator when input/output states occur that are physically not feasible.
Consider making paired signals independent or adding delay timers when toggling outputs could be damaging to actuators.
Security Objective | Target Group |
The integrity of PLC variables Resilience | Product Supplier Integration / Maintenance Service Provider |
Guidance
Paired inputs or outputs are those that physically cannot happen at the same time; they are mutually exclusive. Though paired signals cannot be asserted at the same time unless there is a failure or malicious activity, PLC programmers often do not prevent that assertion from happening.
Validation is easiest to directly do in the PLC because the PLC is aware of the process state or context. Paired signals are easier to recognize and track if they have sequential addresses (e.g., input 1 and input 2).
Another scenario where paired inputs or outputs could cause problems is when they are not asserted at the same time, but toggled quickly in a way that damages actuators.
Examples of paired signals:
2. FORWARD and REVERSE
3. OPEN and CLOSE
If the PLC / MCC accepts a discrete input, this provides an easy option for an attacker to cause physical damage on actuators. The well-known scenario for toggling outputs to do damage would be an MCC, but this practice applies to all scenarios where toggling outputs could do damage.
A proof of concept where rapidly toggling outputs could cause real damage was the Aurora Generator Test in 2007 conducted by the Idaho National Laboratory, where toggling outputs out of sync caused circuit breaker damage.
Why?
Beneficial for…? | Why? |
Security | 1. If PLC programs do not account for what is going to happen if both paired input signals are asserted at the same time, this is a good attack vector. 2. Both paired input signals being asserted is a warning that there is an operational error, programming error, or something malicious is going on. 3. This avoids an attack scenario where physical damage can be caused to actuators. |
Reliability | 1. Paired input signals can point to a sensor being broken or mis-wired or that there is a mechanical problem like a stuck switch. 2. Quickly toggling start and stop could also be done by mistake, so this also prevents damage that might be done inadvertently. |
Maintenance | / |
References
Standard/framework | Mapping |
MITRE ATT&CK for ICS | Tactic: TA010 – Impair Process Control Technique: T0836 – Modify Parameter, T0806 – Brute Force I/O |
ISA 62443-3-3 | SR 3.5: Input Validation SR 3.6: Deterministic Output |
ISA 62443-4-2 | CR 3.5: Input Validation CR 3.6: Deterministic Output |
ISA 62443-4-1 | SI-2: Secure coding standards SVV-1: Security requirements testing |
MITRE CWE | CWE-754: Improper Check for Unusual or Exceptional Conditions |
Source: PLC Security
This PLC example on manufacturing line assembly is an intermediate-level PLC program prepared for the…
In this article, you will learn the PLC programming example with pushbutton and motor control…
This article teaches how to convert Boolean logic to PLC programming ladder logic with the…
In this article, you will learn the PLC programming example on timers function block using…
Design a program for PLC pump control such that the pump must be turned ON…
Polyvinyl alcohol (PVA) is a water-soluble and biodegradable synthetic polymer used in oil field cementing…