Protecting your PLC

John Young, APAC Sales Director at industrial equipment provider EU Automation, gives his advice for keeping your programmable logic controllers (PLCs) safe from cyber attack.

Programmable logic controllers function at the heart of an industrial control system, managing and controlling various steps in the manufacturing process. As technologies levied by the Internet of Things (IoT) have improved connectivity, manufacturers can remotely access their PLCs for more flexible maintenance and real-time monitoring.

Connectivity may be one of the PLC’s greatest strengths, but it is also its silver bullet. When Dick Morley invented the humble PLC in 1968, the internet didn’t exist. Today, for the PLC to perform its monitoring and control processes, connection is essential. At the same time, it is this connectivity that exposes it to cyber attacks.

The great PLC hack

Every step forward in the development of the PLC is matched by an advancement in the sophistication of cyber attacks. The Stuxnet worm was first uncovered in 2010 and is believed to be responsible for causing substantial damage to Iran’s nuclear program by gaining access to computers through a USB.

Although the hack was carried out on an air-gapped facility that wasn’t connected to the internet, the malware ended up on internet-connected devices and quickly began to spread.

When the Stuxnet worm infects a computer, it finds out whether it is connected to a specific model of PLC. The worm then alters the PLC’s programming and therefore impacts the processes in a plant. For example, the worm can cause centrifuges to be spun too quickly and for too long, causing damage to the equipment. Because the PLC is communicating that everything is working as it should, it is difficult for the control system or an employee to detect what’s going wrong until it’s too late. Reportedly, Stuxnet ruined 20% of Iran’s nuclear centrifuges.

Stepping up

As connectivity increases, cybersecurity must become a top priority. A robust security strategy begins with people. How many members of staff consider cybersecurity as their responsibility? And how many would still use a USB even when not authorised or aware of what’s on it? A need-to-know policy should be default in any plant and developing the knowledge of staff is a crucial aspect of building a security framework.

Manufacturers can also reduce the risk of cyber attack by limiting the number of people that access connected devices. Several workers may need to access a PLC to monitor and control various processes on the factory floor. By creating individual accounts that only give the level of access that is necessary to each worker, managers can easily track and monitor their staff’s actions while preventing people from accessing data that they are not trained to handle.

PLCs have very long lifespans. Running an average of 20 years, many in use today have been in operation since a time when cybersecurity was less of a pressing priority. At the same time, upgrading to the latest PLC on the market can be a major investment, which isn’t always viable for smaller businesses. Manufacturers should partner with a reliable industrial parts supplier, like EU Automation, to ensure they are able to purchase the best PLC for the job.

Manufacturers are constantly stepping up their cybersecurity game, but so are cybercriminals. To limit damage to their plant, manufacturers should prioritise security, one PLC at a time.

Image credit: ©stock.adobe.com/au/Sergey Nivens

Originally published here.