Written for engineers by engineers
The aim of this project is to provide guidelines to engineers that are creating software (ladder logic, function charts etc.) to help improve the security posture of Industrial Control Systems.
These practices leverage natively available functionality in the PLC/DCS. Little to no additional software tools or hardware is needed to implement these practices. They can all be fit into the normal PLC programming and operating workflow. More than security expertise, good knowledge of the PLCs to be protected, their logic, and the underlying process is needed for implementing these practices.
To fit the scope of the Top 20 Secure PLC Coding practices list, practices need to involve changes made directly to a PLC.
Current version of the Top 20 Secure PLC Coding Practices
Top_20_Secure_PLC_
Coding_Practices_V1.0.pdf
Size: 1.2 MB
Date: 06.15.2021
Read This / Watch This
Top 20 Secure PLC Coding Practices in other languages
Arabic/عربي | Date: 09.28.2021 | ||||
Croatian/Hrvatski | Date: 05.31.2022 | ||||
Chinese/中文 | Date: 09.27.2021 | ||||
German/Deutsch | Date: 03.28.2024 | ||||
Spanish/Español | Date: 02.16.2022 |
Top 20 Secure PLC Coding Practices Application Notes
The Top 20 Application Notes are case studies for specific PLCs, specific organizations (vendors, integrators, operators) and their workflows. People who have tried to apply the Top 20 take notes on their experiences - how they applied the practices, what worked, and what did not work. The aim is to gather application examples to help others, one use case at a time, and to eventually improve the Top 20's real-world applicability. Application notes issued by vendors and integrators are especially important since operators can use them as guidance for the PLCs they have in operation or consider buying.
Sharing your own Top 20 Application Note is easy. Just complete the below template (feel free to modify as needed), send to plc-security@admeritia.de so we can publish on the Secure PLC project's website and social media channels and share widely with your clients, colleagues, prospects, network and across social media.
Sample RFP Language for Top 20
Figuring out where to start applying the Top 20 Practices can seem daunting. Keep in mind that this does not need to be an all or nothing approach and that you can really just start with incorporating the practices with some “quick wins”.
This Specification sample document is focused on outlining requirements inspired by the Top 20 list for vendor control equipment (e.g., a new process unit is being added to the facility and a vendor skid package with a vendor template design and program). These requirements or the policy can be developed and provided to the vendor to improve the security & integration while beginning to adopt the practices.
Cybersecurity PLC Vendor
Policy Example.docx
Date: 08.02.2022
Contact
Your contact person
Vivek Ponnada
Co-organizer
Email: plc-security-at-admeritia.de
Twitter: @ControlsCyber
LinkedIn: Linkedin
Your contact person
Sarah Fluchs
Co-organizer
Email: plc-security-at-admeritia.de
Twitter: @SarahFluchs
LinkedIn: Linkedin
License
Copyright (c) 2021 admeritia GmbH, Langenfeld/Rheinland, Germany
Permission is hereby granted, free of charge, to any person obtaining a copy of “Top 20 Secure PLC Coding Practices” and associated documentation files, to deal in the “Top 20 Secure PLC Coding Practices” without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the “Top 20 Secure PLC Coding Practices”, and to permit persons to whom the “Top 20 Secure PLC Coding Practices” is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the “Top 20 Secure PLC Coding Practices”.
THE “Top 20 Secure PLC Coding Practices” IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE “Top 20 Secure PLC Coding Practices” OR THE USE OR OTHER DEALINGS IN THE “Top 20 Secure PLC Coding Practices”.
Copyright (c) 2021 admeritia GmbH, Langenfeld/Rheinland, Deutschland
Jedem, der eine Kopie der “Top 20 Secure PLC Coding Practices” und der zugehörigen Dokumentationsdateien erhält, wird hiermit kostenlos die Erlaubnis erteilt, ohne Einschränkung mit den “Top 20 Secure PLC Coding Practices” zu handeln, einschließlich und ohne Einschränkung der Rechte zur Nutzung, zum Kopieren, Ändern, Zusammenführen, Veröffentlichen, Verteilen, Unterlizenzieren und/oder Verkaufen von Kopien der “Top 20 Secure PLC Coding Practices”, und Personen, denen die “Top 20 Secure PLC Coding Practices” zur Verfügung gestellt wird, dies unter den folgenden Bedingungen zu gestatten:
Der obige Urheberrechtshinweis und dieser Genehmigungshinweis müssen in allen Kopien oder wesentlichen Teilen der “Top 20 Secure PLC Coding Practices” enthalten sein.
DIE “Top 20 Secure PLC Coding Practices” WIRD OHNE MÄNGELGEWÄHR UND OHNE JEGLICHE AUSDRÜCKLICHE ODER STILLSCHWEIGENDE GEWÄHRLEISTUNG, EINSCHLIESSLICH, ABER NICHT BESCHRÄNKT AUF DIE GEWÄHRLEISTUNG DER MARKTGÄNGIGKEIT, DER EIGNUNG FÜR EINEN BESTIMMTEN ZWECK UND DER NICHTVERLETZUNG VON RECHTEN DRITTER, ZUR VERFÜGUNG GESTELLT. DIE AUTOREN ODER URHEBERRECHTSINHABER SIND IN KEINEM FALL HAFTBAR FÜR ANSPRÜCHE, SCHÄDEN ODER ANDERE VERPFLICHTUNGEN, OB IN EINER VERTRAGS- ODER HAFTUNGSKLAGE, EINER UNERLAUBTEN HANDLUNG ODER ANDERWEITIG, DIE SICH AUS, AUS ODER IN VERBINDUNG MIT DEN “Top 20 Secure PLC Coding Practices” ODER DER NUTZUNG ODER ANDEREN GESCHÄFTEN MIT DER “Top 20 Secure PLC Coding Practices” ERGEBEN.
Special thanks to these organizations who generously provided infrastructure to use for the project team like domains, hosting, web design and graphic design: