Save the Date: Nexus Conference 2024: Sept. 10-12
Claroty Nexus Logo
Topics:
See all in Cyber Resilience See all in Articles
See all in Videos
See all in Podcasts
In this episode of Claroty's Nexus Podcast, Martin Scheu and Dirk Rotermund of the Top 20 Secure PLC Coding Practices project join to discuss how engineers can integrate secure coding practices into PLC programming.

Nexus Podcast: Top 20 Secure PLC Coding Practices List

Michael Mimoso
/
Sep 29, 2021

Programmable logic controllers (PLCs) are often the last line of defense protecting industrial processes, yet they contain glaring programming gaps that leave them insecure by design.

Increased connectivity to the internet of industrial devices and processes have magnified their exposure to external attackers and added urgency to the need for secure programming.

In this episode of Claroty's Nexus Podcast, Martin Scheu and Dirk Rotermund of the Top 20 Secure PLC Coding Practices project join to discuss how engineers can integrate secure coding practices into PLC programming.

The group's list of 20 secure coding practices was released in June and is available as a free download. It's a 44-page document that not only lists theses practices, but also offers detailed guidance for each, and specifies where they map within certain frameworks, such as MITRE ATT&CK.

In this discussion, you'll learn more about how this project came together, the current state of PLC security by design, where current cybersecurity gaps exist, and how engineers can best make use of the guidance provided in the list of secure coding practices, as well as vendors, suppliers, and system integrators.

"Process control systems were always connected, but now they are connected to the business side of a factory. These connections went very fast. The OT lifecycle is 15 years or maybe more, and everything is thinking in these timeframes," Scheu said. "The IT side, in terms of ransomware, just came too fast and now we are trying to catch up."

One of the main challenges impeding progress around improved PLC cybersecurity is the lack of awareness and institutional knowledge around the practice.

"Some of our clients have no idea. They don't say that they want it. You have to sell it to them. It's unbelievable," Rottermund said. "The asset owners don't ask for secure coding or security. … Industries like steel and other production industries don't really want it. It costs a lot and why should we do this? You have to sell it. And that's a problem."

The project hopes its efforts will crack open the black box that are PLCs and introduce secure coding practices such as input validation, hashing to insure the integrity of PLC builds, and the disabling of unnecessary communication ports and unused protocols—all of which reduce the attack surface on a PLC.

Subscribe, rate, and review the Nexus podcast on all major platforms, including Apple Podcasts and Spotify.

Michael Mimoso
Editorial Director

Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.

Stay in the know

Get the Nexus Connect Newsletter

Share

LinkedIn Twitter Facebook Email

Featured Articles

Considerations for Medical Device Vulnerability Remediation Aim for a Sustainable Security Strategy that Brings Resilience

Featured Videos

Browse by Topics

Cyber Resilience Cybersecurity Insurance Federal Food & Beverage Healthcare Industrial Internet of Things Nexus Conference Operational Resilience Operational Technology Ransomware Risk Management Technical Debt Vulnerability Management Zero Trust

You might also like…

Read more
Operational Resilience

Nexus Podcast: Adam Gluck on Industrial DevOps

Michael Mimoso
Healthcare
Cyber Resilience
Vulnerability Management

Nexus Podcast: Greg Garcia on the Change Healthcare Cyberattack

Michael Mimoso
Researcher Ryan Pickren explains a new web-based attack against programmable logic controllers (PLCs) that uses malicious JavaScript to attack the front end of an embedded web server prevalent in modern PLCs.
Operational Technology
Vulnerability Management
Internet of Things

Nexus Podcast: Ryan Pickren on New Web-Based PLC Malware Research

Michael Mimoso
In this episode of the Claroty Nexus podcast, Hormel Foods CISO and Director of Security and Compliance Mike Rogers explains that CISOs should understand their level of exposure in the event of a cybersecurity incident and proactively seek personal liability protection.
Risk Management
Food & Beverage
Operational Resilience

Nexus Podcast: Mike Rogers on CISO Exposure During Incidents

Michael Mimoso
Team82’s Noam Moshe discusses state actor targeting of OT, why it’s so challenging to develop ransomware for OT and industrial control systems, and the mitigation strategies available to defenders of cyber-physical systems.
Internet of Things
Operational Technology
Vulnerability Management

Nexus Podcast: Team82 Answers More of your Cybersecurity Research Questions

Michael Mimoso
Juan Piacquadio, chief information officer of Phlow Corp., describes the innovative and competitive edge the implementation of Pharma 4.0 brings to the industry, and how to best secure it.
Healthcare
Risk Management
Internet of Things

Nexus Podcast: Juan Piacquadio on Securing Pharma 4.0

Michael Mimoso
Carrix security executive David Elfering joins the Nexus podcast to discuss cyber liability insurance, including whether carrier cybersecurity requirements align with risk reduction, some of the red flags that can imperil coverage or claims, and how cyber insurance providers are looking at geopolitical conflict.
Risk Management
Cybersecurity Insurance

Nexus Podcast: David Elfering on CISOs and Cyber Liability Insurance

Michael Mimoso
Claroty Team82 Director of Vulnerability Research Sharon Brizinov and Vulnerability Researcher Noam Moshe discuss their research process, the technical resources at their disposal, and the threat landscape.
Operational Technology
Vulnerability Management

Nexus Podcast: Team82 Answers Your Questions

Michael Mimoso
Mandiant and Google Cloud Head of Emerging Threats and Analytics Nathan Brubaker joins to discuss his team's findings and provide more context on the growing capabilities of Sandworm and its targeting of OT.
Operational Technology
Cyber Resilience

Nexus Podcast: Mandiant on Sandworm APT OT Attacks in Ukraine

Michael Mimoso
Cutaway Security's Don C. Weber joins the Claroty Nexus podcast to discuss ICS cybersecurity training from his experience as a SANS certified instructor and understanding of where automation organizations are struggling and succeeding with cybersecurity.
Cyber Resilience
Operational Technology

Nexus Podcast: Don Weber on Security Culture in Control Environments; STAR Methodology

Michael Mimoso
A new extension to the open source Caldera adversary emulation platform tailored for threats to operational technology (OT) called Caldera for OT features plugins for dnp, Modbus, and BACnet, three popular OT protocols that are prevalent in many commercial products regardless of industry.
Operational Technology
Federal

Nexus Podcast: MITRE on Caldera for OT

Michael Mimoso
Retired Pfizer chief information security officer Jim LaBonty describes the need for a specialized OT security stack that feeds into a converged IT SOC.
Healthcare
Operational Resilience
Cyber Resilience

Nexus Podcast: Jim LaBonty on Building an OT Security Stack

Michael Mimoso

Latest on Nexus Podcast

See all episodes
The Nexus podcast features conversations with security leaders, researchers, and experts sharing their expertise on cyber-physical systems security.
Operational Resilience

Nexus Podcast: Adam Gluck on Industrial DevOps
Healthcare
Cyber Resilience
Vulnerability Management

Nexus Podcast: Greg Garcia on the Change Healthcare Cyberattack
Researcher Ryan Pickren explains a new web-based attack against programmable logic controllers (PLCs) that uses malicious JavaScript to attack the front end of an embedded web server prevalent in modern PLCs.
Operational Technology
Vulnerability Management
Internet of Things

Nexus Podcast: Ryan Pickren on New Web-Based PLC Malware Research