Why PLCs Are a Cyber Security Weak Link
Erik Schweigert, BSc, Embedded Systems Developer for Tofino Security, posted an article earlier this week on the Tofino website explaining why programmable logic controllers (PLCs) are so insecure. In his post, Schweigert points to three somewhat related factors that make PLCs particularly vulnerable to cyber security threats:
1. PLCs have very long life spans. With the average PLC running for 20 years or more, the majority of systems in use today have likely been in operation for at least a decade. As Schweigert points out, 10–20 years ago, industrial cyber security just wasn’t a top priority for most control systems designers.
2. Security was not designed into the existing PLC installed base. Much like the control systems designers of 20 years ago, the PLC manufacturers themselves weren’t thinking about cyber security at that time, which means security was not designed into the older PLCs in use today.
3. Older PLCs have limited horsepower. While today’s PLCs have plenty of processing power and memory to spare, a 10–20-year-old PLC currently in operation likely has just enough processing power and memory to perform control functions, leaving little room to retrofit security.
For users of older PLC devices, Schweigert says staying on top of the latest ICS security and industry standards is key. He recommends all users familiarize themselves with the concepts in the ISA/IEC 62433 standards (formerly ANSI/ISA-99).
To read Schweigert’s full post on this topic, click here.
To read Flow Control’s August “Automation File” article on “Why SCADA Security Matters for Flow Control Professionals,” click here.