To me, to you: Towards Secure PLC Programming through a Community-Driven Open-Source Initiative

Abstract

Over the last decade, industrial control systems (ICS) have experienced an increasing frequency of cyber attacks. At the heart of these systems are programmable logic controller (PLC), responsible for the monitoring, control, and automation of physical operational processes. As an increasing number of adversaries are attaining the capability to gain a foothold in ICS environments, with the goal of operational process manipulation, PLCs are becoming a primary target. Unlike conventional IT software, PLCs are programmed via unique industrial languages and the notion of secure PLC programming practices is in its infancy. This has led to vulnerabilities within the very logic PLCs use to interact with the physical world, notably in code provided by vendors, which is proprietary and unable to be viewed or edited to implement secure programming practices. These vulnerabilities then affords adversaries an attack surface to achieve their goals. In this positional paper, a conceptual framework is introduced positing the notion of a communitydriven hub. This hub incorporates a set of processes that draw from existing literature, to provide secure, verified, open-source PLC code. The goal of which is to not only provide PLC programmers with a convenient alternative to vulnerable vendor provided libraries, but increase the awareness and importance of secure PLC programming practices.