Use cryptographic hashes, or checksums if cryptographic hashes are unavailable, to check PLC code integrity and raise an alarm when they change 

Guidance

A) Checksums Where (cryptographic) hashes are not feasible, checksums may be an option. Some PLCs generate a unique Checksum when code is downloaded into the PLC Hardware. The Checksum should be documented by the manufacturer/integrator after SAT and be part of warranty / service conditions. 

If the checksum feature is not natively available in the controller, this can also be generated in the EWS/HMI and probed e.g., once a day to compare with the hash of the original code in the PLC to verify that they are matching. While this won’t provide real-time alerts, it’s good enough to track if anyone is attempting changes to the PLC code. 

The checksum value can also be moved into a PLC register and configured for an alarm when it changes, the value can be sent to historians, etc. 

B) Hashes PLC CPUs generally do not have the processing capacity to generate or check hashes while running. Attempting a hash might actually cause the PLC to crash. But the PLC’s engineering software might be able to calculate hashes from the PLC code and save them either in the PLC or somewhere else in the control system. 

Example

PLC vendors that are known to have checksum features: 

* Siemens (see example) 

* Rockwell 

Also, external software can be used for generating checksums: 

* Version dog 

* Asset Guardian 

* PAS 

Siemens implementation example 

Example for creating checksums in Siemens S7-1500 PLC: 

GetChecksum-Function Block reads actual checksum and with a lightweight script, the “SAT-Checksum” can be stored as reference. A deviance from the Reference-Checksum can be stored with the Datalog-Function.

Rockwell Implementation Example: 

This is a partial example of how an organization can develop a level of PLC program change detection capability within their ICS environment. This example is specifically for a Rockwell Automation ControlLogix PLC and is not complete; however, it illustrates how to retrieve the PLC processor state into a register within the PLC. Once in a register in the PLC, the organization can use it to create a configuration change alarm for display on an HMI, transmit the raw state information to an HMI for trending and monitoring, or send it to a Historian for long term capture. 

This practice provides an opportunity, using existing tools and capabilities, to gain situational awareness of when critical cyber assets change. It is up to the organization to complete the use of this example in a method that works best in their environment. 

1. From the Controller Properties Dialog Box, select the configure button on “Change to Detect”

2. Within the selection window, choose all items to be monitored 

3. Create a Tag to receive the processor state information. This tag can be of type “LINT” or a 2-word array of type “DINT” 

4. Use the Get System Values (GSV) instruction to get the processor state information from memory and move it into a Tag that can be used in logic or read at the HMI 

Why? 

References

What’s next?

In the next article of The Top 20 Secure PLC Coding Practices series, you will find out about using cryptographic and/or checksum integrity checks for PLC code. 

Do you require help with secure coding of your PLCs?

If you have any questions or require help in securely coding your PLCs, please contact SEQRED.

SEQRED specialises in providing bespoke OT and IoT cybersecurity solutions.
Our services cover such areas as Critical Infrastructure Protection, Cloud Services Security or Audits, and Threat Intelligence. For a full list of our services visit our services page – https://seqred.pl/en/services/

About this article

You can download the full copy of the Top 20 Secure PLC Coding Practices by clicking here.

The series of these articles is written under the following license:

Powiązane wpisy

Dodaj komentarz