"Secure Coding Practices" for PLCs are particularly relevant for securing critical infrastructures - such as electricity suppliers, water suppliers and food producers - which have been subject to stricter regulation in Germany as a result of the recently passed IT Security Act 2.0.

The "Top 20 Secure PLC Coding Practices" are the result of an international community project for which all employees worked on a voluntary basis.

After more than a year of work, the project result is now available for free download from 15.06.2021, 15:00 CEST.

It contains a two-page summary of all 20 "programming practices" as well as further information on up to four pages per "practice", instructions, background information, security benefits, implementation examples and references to related standards and frameworks.

Aim of the project

The document is freely available and comes with a maximum permissive license that allows any reuse, copying and use for commercial and non-commercial purposes. The wish of the project initiators and the project team is to disseminate the previously lacking knowledge about secure programming of PLCs and to firmly anchor it in the knowledge base of PLC programmers, users and manufacturers. The Secure Coding Practices could be used in information security management systems, guidelines for secure system development and in requirements for suppliers.

The document can and should therefore be used and commented on - a comment form will be available on the project website. Feedback from users and manufacturers of PLCs is particularly welcome. The "Top 20 Secure PLC Coding Practices" will be updated regularly.

Further cooperation is planned with a team from the US organization MITRE, among others, which is developing a "Common Vulnerability Enumeration" (CWE) analogous to the well-known "Common Vulnerability Enumeration" (CVE) also developed by MITRE. SPSs are also missing there. There will probably also be training courses on the top 20 secure PLC coding practices.

Background and origin

The project was led by Sarah Fluchs, CTO of the German consulting firm admeritia, which specializes in industrial IT security, and Vivek Ponnada, who works for General Electric Canada.
The project was supported with infrastructure by Dale Peterson and S4xEvents, the ISA Global Cybersecurity Alliance and admeritia, which also operates the project website with the list of the Top 20 Secure PLC Coding Practices and further information.

It has long been clear to industrial security experts that PLCs are among the most vulnerable components in automated systems. There are numerous reports of vulnerabilities and inherently insecure features in PLCs, which were exploited not least for the well-known security incidents Stuxnet or Triton / Trisis. However, there is little concrete action to make PLCs more secure.

Accordingly, the response to the community project was great right from the start: almost 1000 users registered on the public platform created especially for the project (top20.isa.org), submitted secure coding practices, commented on the submissions and selected the top 20 most important programming practices. The project's target group is PLC programmers. Members from German integrators, operators and associations from the context of automation technology were also involved in the creation.