8.9) Check input variables, watch out for indirect calls

8) check timers and counters

Access to PLC variables must be restricted. An out-of-range value from the HMI must be correctly processed or the operator must receive a message about it.

Description

The input check should include a check for an acceptable operating range.

If a PLC variable gets an out-of-bounds value, implement the following logic:

  • enter a default value for this variable, which does not adversely affect the process and can be used as a flag for warnings

  • enter the last valid value for this value and log the event for further analysis.

Examples of

Example 1
The operation requires the user to enter the valve pressure value on the HMI. The valid range for this value is 0-100, and user input on the HMI is transferred to variable V1 in the PLC. In this case:

  1. The HMI input to variable V1 has a limited range of 0 to 100 (decimal) programmed into the HMI.

  2. The PLC has a check:

IF V1 < 0 OR IF V1 > 100, SET V1 = 0. 

This will provide a correct response to invalid input for this variable.

Example 2
The operation requires the user to enter the measurement thresholds for the variable, which must always be in the range of type INT2. User input is transferred from the HMI to variable V2 in the PLC, which is a 16-bit register.

  1. The HMI input to variable V2 has a limited range of -32768 to 32767 (decimal) programmed into the HMI.

  2. The PLC has a datatype check that sets an overflow variable (V3), which is set to TRUE if V2 is out of datatype:

IF V2 = -32768 OR IF V2 = 32767 AND V3 != 0, 
SET V2 = 0 AND SET V3 = 0 AND SET DataTypeOverflowAlarm = TRUE. 

Example 3
Monitor the parameters and values ​​for the PID controllers to eliminate scaling and conversion errors that cause control problems. Setting the values ​​incorrectly can lead to undesirable consequences.

Security

  1. Although HMIs usually provide some input validation, an attacker can always create and play modified packets to send arbitrary variable values ​​to those PLCs that are open to outside influence.

  2. PLC protocols are usually marketed as “open” protocols and published to the general public, so it is not difficult to create malware that uses “open” protocol information. Determining the placement of PLC variables usually occurs through traffic analysis during the reconnaissance phases of an attack, thereby providing an attacker with the necessary information to create malicious packets to the PLC and thereby manipulate the process using unauthorized tools. Checking the values ​​passed to the PLC before integrating the data into the process ensures that the value ranges are respected and eliminates invalid values ​​by forcing the values ​​to be safe.

9) Watch out for indirect calls

Watch out for accessing array elements to avoid an unaccounted unit error.

Description

Indirect reference is the use of a register value as an address to another register. There are many reasons for using indirect indications.

Examples of required indirect calls:

  • Variable Frequency Drives that trigger different actions for different frequencies using lookup tables.

  • Decide which pump to start first based on their current running hours.

PLCs usually do not have an “end of array” flag, so it is a good idea to create one in software; the goal is to avoid unplanned operations in the PLC.

Example

Instruction List (IL) Programming
This approach can be converted into multiple functional blocks and possibly even reused for many projects.

1 Create an array mask

Check if the array is binary in size. If it is not binary-sized, create a mask of the next size at binary scale. for example if you need 5 registers (not binary size):

[21 31 41 51 61]

define an array of 8 elements:

[x x 21 31 41 51 61 x]

Then take the index value you want to indirection – in this example, it is 3.

Caveat: Index starts at 0!

[21 31 41 51 61]

Index: 3

Add an offset to it to compensate for the poisoned (forbidden) end. The offset can be 1 or higher, in this case it is 2:

[x x 21 31 41 51 61 x]

Offset index: 3 + 2 = 5

And then do a bitwise AND between the index including the offset and the mask equal to the size of the array.

In this example, the size of the array is 8, hence the mask will be 0x07. The mask ensures that the maximum index you can get is 7, for example:

6 AND 0x07 вернёт 6;
7 AND 0x07 вернёт 7;
8 AND 0x07 вернёт 0;
9 AND 0x07 вернёт 1;

This will ensure that you always access the value in the array.

2 Insert the poisoned ends

Poisoning (designation) of the ends is optional. You could detect manipulation without poisoning, but poisoning helps catch errors related to the unrecorded unit, because you are returning a value that makes no sense.

The point is that index 0 of the array must have an invalid value – for example, -1 or 65535. This is the “poisoned end”. Likewise, on the last elements of the array, you do the same:

So, for the above array, the poisoned version might look like this:

[-1 -1 21 31 41 51 61 -1]

3 Write down the value of the indirect address without mask

Then write down the indirect address value without mask and offset:

In this example, you would write 51 for index 3.

[21 31 41 51 61]
Index 3

4 Perform bitwise AND with mask and compare values ​​(= bounds check)

Compare the recorded value with the value after you Boolean AND.

4a Case A: Correct indication

First, indentation:
Index + Offset = 3 + 2 = 5

Second, the mask:
5 AND 0x07 = 5

Third, checking the value:
[-1 -1 21 31 41 51 61 -1]
Indented index: 5
Value = 51 is equal to the written value, everything is fine.

4b Case B: Pointing Manipulation

If you had a manipulated hint now, say 7, let’s see what happens:

First, indentation:
Index + Offset = 7 + 2 = 9

Second, the mask:
9 AND 0x07 = 1

Third, checking the value:
[-1 -1 21 31 41 51 61 -1]

Indented index: 1
Value = -1 not equal to the value written, and also indicates your poisoned end so you know that your indirect treatment is being manipulated.

5 Fault warning indication

If the checked value differs from your registered value, then you know something is wrong. Then check the index value. If this is a poisoned value, you should raise the issue of software quality. This most likely indicates an unaccounted unit error.

Security

Most PLCs do not have functions for handling indexes that go beyond the bounds of the array. There are two potentially dangerous scenarios:

First, if the indirection results in a read from the wrong register, the program is executed with the wrong values.

Second, if an incorrect indirection results in a write to the wrong register, the program overwrites the code or values ​​that you want to keep.

In both cases, indirection errors are difficult to detect and can have serious consequences. They are caused by programmer error, but they can also be inserted maliciously.

Reliability

Unforeseen human programming errors are identified.

Push

I invite everyone to telegram chat and telegram channel for specialists in the field of industrial automation. Here you can directly ask a very highly specialized question and even get an answer.

I am waiting for your opinion and experience regarding this item in the comments. There will be a total of 20 points from “Top 20 Secure PLC Coding Practices”I hope everyone will receive as many comments as possible to make their own list of PLC programming recommendations.

PLC safety: 6,7) Check timers, counters and paired I / O

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *