Simatic S7-1500 CPU and input modulesThroughout my whole life I was fascinated by industrial machines, automated production and process technology. In 2017 a customer asked whether we could "program a machine" for him, which I definitely confirmed. After discussing which technology to use for the main control system inside this machine, we agreed on a Siemens Simatic S7 PLC. I preferred to use an embedded system instead of a PLC but the customer insisted on Siemens products for his machine, so we implemented a "Siemens". (PLC programming was completely new for me at this time, but still now, I prefer embedded systems or embedded controllers over PLCs because they are not limited in their functionality.)

Anyhow, this article should not be about discussing weird programming-approaches of PLCs, it is about enhancing the security in your PLC programs and projects. The main advantage in PLC programming is, that it is quite easy to do. You can learn it relatively fast (it took me about 14 days from zero PLC knowledge until I started my first project) and you do not need any (advanced) knowledge in computer programming or network technology. This advantage is the main drawback as well, because by neglecting some fundamentals you normally learn from e.g. network security, you may put in some large security leaks into your PLC program. REMEMBER: The PLC will be used inside a machine which is most likely connected mechanically, physically, electronically (or in any other way) to other machines inside a production plant which can lead to severe consequences when a malicious attacker exploits or captures your PLC.

Therefore, I made a list with some recommendations I followed throughout my projects. The list is made and illustrated for Siemens Simatic PLCs and the TIA Portal but follows rather general recommendations and can therefore be used with other PLCs, IDEs and also non-PLC based projects:

As you might see, these principles are not very hard to implement and are also valid for other sectors, not for PLC programming only. I created a checklist which I check every time I release a new version. This ensures myself a reduction of security flaws and satisfies the customer.