This example is specifically for a Rockwell Automation ControlLogix PLC and is not complete however, it illustrates how to retrieve the PLC processor state into a register within the PLC. This is partial example of how an organization can develop a level of PLC program change detection capability within their ICS environment. GetChecksum-Function Block reads actual checksum and with a lightweight script the “SAT- Checksum” can be stored as reference.Ī deviance from the Reference-Checksum can be stored with the Datalog-Function.
PLC vendors that are known to have checksum features:Īlso, external software can be used for generating checksums:Įxample for creating checksums in Siemens S7-1500 PLC: Attempting a hash might actually cause the PLC to crash.īut the PLC’s engineering software might be able to calculate hashes from the PLC code and save them either in the PLC or somewhere else in the control system. PLC CPUs generally do not have the processing capacity to generate or check hashes while running. The checksum value can also be moved into a PLC register and configured for an alarm when it changes, the value can be sent to historians etc. While this won’t provide real time alerts, it’s good enough to track if anyone is attempting changes to the PLC code. If the checksum feature is not natively available in the controller, this can also be generated in the EWS/HMI and probed e.g., once a day to compare with the hash of the original code in the PLC to verify that they are matching. The Checksum should be documented by the manufacturer / integrator after SAT and be part of warranty / service-conditions. Some PLCs generate a unique Checksum when code is downloaded into the PLC Hardware. Where (cryptographic) hashes are not feasible, checksums may be an option. Se c u ri t y Objective T a rg e t Group Integrity of PLC logic Product Supplier Integration / Maintenance Service Provider Asset Owner Checksums
U s e cryptographic hashes, or checksums if cryptographic hashes are unavailable, to check PLC code integrity and raise an alarm when they change.