Click the blue text for more exciting information
Once again, someone asked me about the safety of ladder diagrams, I really can’t believe it. Every time something goes wrong, they come to me only after the crisis has hit, if they had contacted me earlier, the workshop wouldn’t have had to stop production for three days! I’ve been in this industry for 15 years, from Siemens 200 to now 1500, what haven’t I seen? Let me tell you, many so-called industrial control security experts can’t even understand a ladder diagram, yet they talk nonsense about risk assessment frameworks, it’s really enough.
Old problems, old issues
Let me tell you about an incident from 2019, at a paper factory in Suzhou, which used an AB ControlLogix system. The so-called “system integrator” set all the PLC passwords to “1234”, one password to rule them all! When I went on-site, I was shocked; even the remote maintenance port was open, directly exposed to the public network. I asked them if they were afraid of hackers, and they said: “This isn’t a bank, who would hack us?”… What happened? Three months later, the entire production line was locked, and it would cost $300,000 to unlock it.
The factory manager was furious, and Xiao Zhang (the one who did the system) was almost in tears. They had stayed up for three days and nights, and his wife had called him eight hundred times, only then did they realize that PLC security is no joke.
In fact, ladder diagrams inherently have security vulnerabilities. Why? Because they were designed in the 70s and 80s, when there was no concept of network security. They were all standalone operations, closed-loop control. Now, with Industry 4.0 and the Internet of Things, connecting those outdated PLCs to the internet has created more security holes than a sieve.
Pitfalls of on-site modifications
Last winter, at an auto parts factory in Hebei, the entire line suddenly stopped during the night shift. They called me to take a look, and the ladder diagram had been completely altered. Who did it? Upon inquiry, I found out it was a young guy who had just graduated three months ago, who took it upon himself to “optimize” the program while no one was around during the night shift! Later, after checking the surveillance, it turned out that the young man had plugged his USB drive into the engineer’s station and uploaded a program before leaving. This USB drive was usually used to download movies… just think about what kind of virus could be on it.
What does this tell us? People are the biggest security risk. No matter how much technical protection you implement, you can’t stop an insider from making a rash decision.
By the way, speaking of this, many factories now popularize things like two-factor authentication and permission levels… theoretically, it’s great, but in practice? Workers share accounts with each other, and engineers’ passwords are basically stuck on the monitor! Last year, I saw in a factory in Guangdong, the engineer’s password was written with a marker on the control cabinet door, it was ridiculous…
// A typical ladder diagram segment with no security awareness
LD I0.0 // Emergency stop button
OR M100.0 // Remote shutdown signal (anyone can trigger it)
R Q0.0 // Main motor operation
Performance bottlenecks and the nonsense of theorists
Now many IT security professionals come to guide industrial control security, spouting a bunch of nonsense about encryption and firewalls. I just want to ask, do you know what the scanning cycle of a PLC is? A typical S7-1200 has a cycle of just a few milliseconds to tens of milliseconds. Try putting an encryption algorithm in there? The entire control system will freeze.
In 2021, I encountered this situation at a water plant, where a certain security expert insisted on adding some “high-strength encryption” to every data transmission, which resulted in communication delays, causing the pump station to respond three seconds late, almost leading to a loss of water pressure control. Such people are both foolish and dangerous, having read too many books and done too little practical work.
By the way, many so-called “security assessment tools” are fundamentally inaccurate in analyzing ladder diagram programs. Those tools are designed for IT systems and do not understand industrial control logic. What if it runs away? What if it hangs? What if there are control delays? These tools don’t care at all. The funniest thing I’ve seen is a so-called “intelligent analysis system” that identified normal motor start-stop interlocks as “security vulnerabilities”… it was laughable.
Practical experience is the hard truth
Having said all this, what should we do? My experience over the past 15 years has led me to the following conclusions:
First, physical isolation is always the most reliable. If it can be disconnected from the network, it should be; if it must be connected, use a unidirectional isolation gateway. Don’t talk to me about the convenience of cloud monitoring and remote maintenance; I just want to ask, how much do you lose for a day of production stoppage?
Second, ensure the basic security of PLC programs. Many people overlook this; in fact, ladder diagrams can also implement security checks. For example:
// Simple but effective security check
LD I0.0 // Operation request signal
AND M100.0 // Operator authentication flag
AND DB10.DBX0.0 // Time window validation
A M200.0 // Operation sequence validation
= Q0.0 // Execute dangerous operation
Third, don’t blindly trust big brands. PLCs from big manufacturers like Siemens and AB also have vulnerabilities. How many factories were affected by the TIA Portal vulnerability exposed by Siemens in 2020?
Fourth, training! Training! Training! No advanced protection can stop foolish actions by employees. I’ve seen maintenance workers directly “clear” the PLC program and restart it because they thought “restarting can solve the problem”… such people should go farm!
Alright, after all this talk, just remember one thing: Security is not something software can solve; it is a comprehensive issue of management and technology. Those fancy risk assessment frameworks you have are not as important as a reliable on-site electrician. Alright, the phone is ringing again; I guess it’s another device malfunction, I need to go put out the fire. If you have any questions, contact me, don’t wait until it explodes to find me…
Disagree with me? Just watch me.
