Most PLCs lack source and data authentication on firmware uploads. Some PLCs even lack checksums for validating the correct transfer of the firmware. If the attacker can modify the PLC firmware, they can:
• take complete control over the infected system,
• learn about the production process,
• selectively sabotage the manufacturing operation (aka Stuxnet), or
• propagate to the enterprise from a trusted manufacturing system.

Not everyone wants to take control of your system to destroy your plant. The risks can be more subtle. There is a lot of intellectual property embedded in a manufacturing setup, and sometimes the intent is merely to get at this IP. This kind of malware will not manifest itself by creating problems in your manufacturing setup.

Automation World once reported, “The interesting thing about Dragonfly is that it targeted ICS information not for the purpose of causing downtime, but for the purpose of intellectual property theft. The potential damage could include the theft of proprietary recipes and production batch sequence steps, as well as network and device information that indicate manufacturing plant volumes and capabilities.”4

The system solution to mitigating something like this is to implement secure boot for the main PLC CPU. This is a way of authenticating the firmware and only accepting software that has a valid digital signature. Depending on your requirements, the user could also encrypt the firmware. The security processing demands can easily overwhelm the MIPS of a traditional PLC CPU or even create latency issues. This is best done by off-loading the security functions to a low-cost, off-the-shelf secure microprocessor that is built for these functions; as shown here. The system shown here in Fig. 6 uses an external secure micro to validate the firmware’s digital signature.

All the above examples use keys to enable authentication, but this raises the question of key protection. Physical security of an encryption key, is of prime consideration in many applications since there is no security once the key is compromised.

To properly address physical security, several issues must be considered. These include: a physical mechanism for generating random keys, a physical design that prevents covert electronic interception of a key that is being communicated between authorized agents, and a secure method of storing a key that protects against clandestine physical and mechanical probing.

Various secure key storage devices provide system designers a host of features that range from package design to external-sensor interfaces, and internal circuit architectures. These requirements were developed by the Military in the form of FIPS 140 standard, and many chip vendors such as Maxim Integrated provide very comprehensive tamper-proof capabilities that can be used in industrial control systems.


There may be other approaches to security as well, and as we begin to realize how important security is in a connected factories environment, we will eventually coalesce around a few approaches.

IIoT in manufacturing is in high demand, and is a growing trend. Security will also eventually grow to cover vulnerabilities, but the need is already here.

Fig. 6. Secure Boot of the Main PLC CPU
Fig. 6. Secure Boot of the Main PLC CPU

[1] General Electric factory as featured in Technology Review Magazine
[2] Siemens Press Brief on the Amberg Electronics plant
[3] Complete presentation available at Blackhat
[4] Automation World


Please enter your comment!
Please enter your name here