BLOG

June 5, 2021

Podsumowanie incydentu w Colonial Pipeline

Podsumowanie incydentu w Colonial Pipeline A glimpse of an eye at downtown in any of major cities in Poland is enough to say that we can be proud of most recent commercial real estate developments. Office buildings became more ergonomic and tenant friendly, ongoing technology integration increase users’ comfort and efficiency with a very strong strive towards environmental neutrality. Yet, investors, developers and tenants share one key negligence in their enthusiasm in integrating and using Smart Building technologies: CYBERSECURITY.

Let’s face it – Smart Buildings are insecure

29.04.2021

… but that can be fixed! A glimpse of an eye at downtown in any of major cities in Poland is enough to say that we can be proud of most recent commercial real estate developments. Office buildings became more ergonomic and tenant friendly, ongoing technology integration increase users’ comfort and efficiency with a very strong strive towards environmental neutrality. Yet, investors, developers and tenants share one key negligence in their enthusiasm in integrating and using Smart Building technologies: CYBERSECURITY.

Data Privacy, Data Security. Vol. I

01.04.2021

Privacy, in general terms, is the right to be free from intrusion and interference. In common language, the right to be left alone. In the legal system of a lot of countries privacy is one of the fundamental human rights. In terms of Information Technology, Data Privacy is the field related to the obtaining, handling, processing, and use of personal information and the rights of individuals in respect of their personal information.

The Top 20 Secure PLC Coding Practices. Part 21 – Trap false negatives and false positives for critical alerts

09.02.2021

Identify critical alerts and program a trap for those alerts. Set the trap to monitor the trigger conditions and the alert state for any deviation. Security Objective Target Group Monitoring Integration / Maintenance Service Provider Guidance In most cases, alert-states are boolean (True, False) and triggered by certain conditions as displayed below. E.g., the trigger bit for the alert ‘overpressure’ becomes TRUE, if Condition 1 ‘pressure switch 1’, Condition 2 ‘pressure sensor value over critical threshold’, through n.

The Top 20 Secure PLC Coding Practices. Part 20 – Monitor PLC memory usage and trend it on the HMI

02.02.2021

Measure and provide a baseline for memory usage for every controller deployed in the production environment and trend it on the HMI. Security Objective Target Group Monitoring Integration / Maintenance Service Provider Asset Owner Guidance Since the increase of lines of code in the logic can also lead to increased memory consumption at runtime, it is recommended for PLC programmers to track any deviation from the baseline and dedicate an alarm class to this event.

The Top 20 Secure PLC Coding Practices. Part 19 – Log PLC hard stops and trend them on the HMI

26.01.2021

Store PLC hard stop events from faults or shutdowns for retrieval by HMI alarm systems to consult before PLC restarts. Time sync for more accurate data. Security Objective Target Group Monitoring Integration / Maintenance Service Provider Guidance Fault events indicate why a PLC shuts down so that the issue can be addressed before a restart. Some PLCs may have error codes from the last case where the PLC faulted or shut down improperly.

The Top 20 Secure PLC Coding Practices. Part 18 – Log PLC uptime and trend it on the HMI

20.01.2021

Log PLC uptime to know when it’s been restarted. Trend and log uptime on the HMI for diagnostics. Security Objective Target Group Monitoring Integration / Maintenance Service Provider Guidance Keep track of PLC uptime in the PLC itself (if uptime is a system variable in the PLC) in the PLC itself if it has MIB-2 / any SNMP implementation externally by means of e.g., SNMP If the PLC has SNMP with MIB-2, which is very common, the OID for uptime “sysUpTimeInstance(0)” is 1.

The Top 20 Secure PLC Coding Practices. Part 17 – Summarise PLC cycle times and trend them on the HMI

12.01.2021

Summarize PLC cycle time every 2-3 seconds and report to HMI for visualization on a graph Security Objective Target Group Monitoring Integration / Maintenance Service Provider Guidance Cycle times are usually system variables in a PLC and can be used for summarizing in PLC code. Summarization should be done to calculate average, peak, and minimum cycle times. The HMI should trend these values and alert if there are significant changes. The cycle time is the time it takes to compute each iteration of logic for the PLC.

The Top 20 Secure PLC Coding Practices. Part 17 – Summarise PLC cycle times and trend them on the HMI

05.01.2021

Define safe states for the process in case of PLC restarts (e.g., energize contacts, de-energize, keep the previous state) Security Objective Target Group Resilience Product Supplier Integration / Maintenance Service Provider Guidance If something commands a PLC to restart in the middle of a working process, we should expect the program to pick up smoothly with minimal disruption to the process. Make sure that the process it controls is restart-safe. If it is not practical to configure the PLC to restart-safely, be sure that it alerts you to this fact and that it does not issue any new commands.

The Top 20 Secure PLC Coding Practices. Part 15 – Restrict third-party data interfaces

23.12.2020

Restrict the type of connections and available data for 3rd party interfaces. The connections and/or data interfaces should be well defined and restricted to only allow read/write capabilities for the required data transfer. Security Objective Target Group Hardening Integration / Maintenance Service Provider Guidance In some cases, due to long cable runs or a large exchange of data, interfaced data connections present a better business case than hard-wired data exchange between two separate parties.