Top 20 Secure PLC Coding Practices

About the Project

For many years, Programmable Logic Controllers (PLCs) have been insecure by design. Several years into customizing and applying best practices from IT gave rise to secure protocols, encrypted communications, network segmentation etc.

However, to date, there has not been a focus on using the characteristic features in PLCs (or SCADA/DCS) for security, or how to program PLCs with security in mind. This project – inspired by the existing Secure Coding Practices for IT – fills that gap.

twitter icon Follow us!
divider 1 divider 2

Written for engineers by engineers

The aim of this project is to provide guidelines to engineers that are creating software (ladder logic, function charts etc.) to help improve the security posture of Industrial Control Systems.

These practices leverage natively available functionality in the PLC/DCS. Little to no additional software tools or hardware is needed to implement these practices. They can all be fit into the normal PLC programming and operating workflow. More than security expertise, good knowledge of the PLCs to be protected, their logic, and the underlying process is needed for implementing these practices.

To fit the scope of the Top 20 Secure PLC Coding practices list, practices need to involve changes made directly to a PLC.

Interactive Dashboard

Current version of the Top 20 Secure PLC Coding Practices

PLC-top20 pdf

Top_20_Secure_PLC_
Coding_Practices_V1.0.pdf
Size: 1.2 MB
Date: 06.15.2021

PLC Security Logo PLC Security Logo

Help us improve and give us feedback! Be part of the Top 20 project!

Comment

Read This / Watch This

thumbnail video-blog

August 03, 2022 – Sarah Fluchs

Blog – One Year of Top 20 Secure PLC Coding Practices
thumbnail video-blog

July 13, 2022 – Sarah Fluchs

Video – OTCEP Forum 2022 – Securing PLC Code Practices
thumbnail video-blog

September 06, 2021 – Arnaud Soullié

Video – Secure PLC coding – Practices 6 & 8
thumbnail video-blog

August 08, 2021 – Sarah Fluchs & Vivek Ponnada

Video – Def Con ICS Village – Secure Coding Practices for PLCs
thumbnail video-blog

April 1, 2020 – Jake Brodsky

Video – S4x20 – Secure Coding Practices for PLC's
PLC Security Logo Twitter
More

Top 20 Secure PLC Coding Practices in other languages

Arabic/عربي Date: 09.28.2021 PLC Security Logo PLC Security Logo PLC Security Logo PLC Security Logo
Croatian/Hrvatski Date: 05.31.2022 PLC Security Logo PLC Security Logo PLC Security Logo PLC Security Logo
Chinese/中文 Date: 09.27.2021 PLC Security Logo PLC Security Logo PLC Security Logo PLC Security Logo
German/Deutsch Date: 03.28.2024 PLC Security Logo PLC Security Logo PLC Security Logo PLC Security Logo
Spanish/Español Date: 02.16.2022 PLC Security Logo PLC Security Logo PLC Security Logo PLC Security Logo

Top 20 Secure PLC Coding Practices Application Notes

The Top 20 Application Notes are case studies for specific PLCs, specific organizations (vendors, integrators, operators) and their workflows. People who have tried to apply the Top 20 take notes on their experiences - how they applied the practices, what worked, and what did not work. The aim is to gather application examples to help others, one use case at a time, and to eventually improve the Top 20's real-world applicability. Application notes issued by vendors and integrators are especially important since operators can use them as guidance for the PLCs they have in operation or consider buying.

Sharing your own Top 20 Application Note is easy. Just complete the below template (feel free to modify as needed), send to plc-security@admeritia.de so we can publish on the Secure PLC project's website and social media channels and share widely with your clients, colleagues, prospects, network and across social media.

application notes button
Grantek Logo

Integrator (Grantek) –
Use Case for North American
Pharmaceutical Manufacturer
Date: 06.20.2022

application notes button application notes button
Siemens Logo

Siemens –
Use Case for Yellowfin
Line Control System
Date: 08.17.2022

application notes button application notes button

Sample RFP Language for Top 20

Figuring out where to start applying the Top 20 Practices can seem daunting. Keep in mind that this does not need to be an all or nothing approach and that you can really just start with incorporating the practices with some “quick wins”.

This Specification sample document is focused on outlining requirements inspired by the Top 20 list for vendor control equipment (e.g., a new process unit is being added to the facility and a vendor skid package with a vendor template design and program). These requirements or the policy can be developed and provided to the vendor to improve the security & integration while beginning to adopt the practices.

Cybersecurity PLC Vendor
Policy Example.docx
Date: 08.02.2022

vendor policy vendor policy

Contact

kontaktperson-foto
Your contact person

Vivek Ponnada
Co-organizer

Email: plc-security-at-admeritia.de
Twitter: @ControlsCyber
LinkedIn: Linkedin

kontaktperson-foto
Your contact person

Sarah Fluchs
Co-organizer

Email: plc-security-at-admeritia.de
Twitter: @SarahFluchs
LinkedIn: Linkedin

You know a thing or two about PLCs and security? Join the Top 20 community!

License

Copyright (c) 2021 admeritia GmbH, Langenfeld/Rheinland, Germany

Permission is hereby granted, free of charge, to any person obtaining a copy of “Top 20 Secure PLC Coding Practices” and associated documentation files, to deal in the “Top 20 Secure PLC Coding Practices” without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the “Top 20 Secure PLC Coding Practices”, and to permit persons to whom the “Top 20 Secure PLC Coding Practices” is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the “Top 20 Secure PLC Coding Practices”.

THE “Top 20 Secure PLC Coding Practices” IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE “Top 20 Secure PLC Coding Practices” OR THE USE OR OTHER DEALINGS IN THE “Top 20 Secure PLC Coding Practices”.

Copyright (c) 2021 admeritia GmbH, Langenfeld/Rheinland, Deutschland

Jedem, der eine Kopie der “Top 20 Secure PLC Coding Practices” und der zugehörigen Dokumentationsdateien erhält, wird hiermit kostenlos die Erlaubnis erteilt, ohne Einschränkung mit den “Top 20 Secure PLC Coding Practices” zu handeln, einschließlich und ohne Einschränkung der Rechte zur Nutzung, zum Kopieren, Ändern, Zusammenführen, Veröffentlichen, Verteilen, Unterlizenzieren und/oder Verkaufen von Kopien der “Top 20 Secure PLC Coding Practices”, und Personen, denen die “Top 20 Secure PLC Coding Practices” zur Verfügung gestellt wird, dies unter den folgenden Bedingungen zu gestatten:

Der obige Urheberrechtshinweis und dieser Genehmigungshinweis müssen in allen Kopien oder wesentlichen Teilen der “Top 20 Secure PLC Coding Practices” enthalten sein.

DIE “Top 20 Secure PLC Coding Practices” WIRD OHNE MÄNGELGEWÄHR UND OHNE JEGLICHE AUSDRÜCKLICHE ODER STILLSCHWEIGENDE GEWÄHRLEISTUNG, EINSCHLIESSLICH, ABER NICHT BESCHRÄNKT AUF DIE GEWÄHRLEISTUNG DER MARKTGÄNGIGKEIT, DER EIGNUNG FÜR EINEN BESTIMMTEN ZWECK UND DER NICHTVERLETZUNG VON RECHTEN DRITTER, ZUR VERFÜGUNG GESTELLT. DIE AUTOREN ODER URHEBERRECHTSINHABER SIND IN KEINEM FALL HAFTBAR FÜR ANSPRÜCHE, SCHÄDEN ODER ANDERE VERPFLICHTUNGEN, OB IN EINER VERTRAGS- ODER HAFTUNGSKLAGE, EINER UNERLAUBTEN HANDLUNG ODER ANDERWEITIG, DIE SICH AUS, AUS ODER IN VERBINDUNG MIT DEN “Top 20 Secure PLC Coding Practices” ODER DER NUTZUNG ODER ANDEREN GESCHÄFTEN MIT DER “Top 20 Secure PLC Coding Practices” ERGEBEN.



Special thanks to these organizations who generously provided infrastructure to use for the project team like domains, hosting, web design and graphic design:

ISA-logo
S4-logo
admeritia-logo