{"id":18984,"date":"2022-11-07T17:00:00","date_gmt":"2022-11-07T16:00:00","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=18984"},"modified":"2022-11-28T15:48:30","modified_gmt":"2022-11-28T14:48:30","slug":"top-20-secure-plc-coding-practices","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/","title":{"rendered":"Top 20 Secure PLC Coding Practices"},"content":{"rendered":"\n<p style=\"text-align: justify;\">If you work in cybersecurity, you have probably heard of the <a href=\"https:\/\/owasp.org\/Top10\/\">OWASP TOP 10<\/a>: a standard awareness document that represents a broad consensus about the most critical security risks to web applications.<\/p>\n<p style=\"text-align: justify;\">However, in Industrial Control Systems, we never talk about the security of the code that controls the process, why? This is the gap the TOP 20 project is trying to close.<\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<h1 style=\"text-align: justify;\">Project genesis<\/h1>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\">The project started with Jake Browdsky\u2019s presentation at the S4 conference in 2019:<\/p>\n<p style=\"text-align: justify;\"><a href=\"https:\/\/www.youtube.com\/watch?v=JtsyyTfSP1I\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18968 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image6.png\" alt=\"\" width=\"703\" height=\"395\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image6.png 703w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image6-340x191.png 340w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image6-69x39.png 69w\" sizes=\"auto, (max-width: 703px) 100vw, 703px\" \/><\/a><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\">In this talk, the concept of securing the industrial process by applying secure coding practices in the PLC code is discussed and several examples are mentioned.<\/p>\n<p style=\"text-align: justify;\">This idea was then transformed into a collaborative project by Sarah Fluchs and Vivek Ponnada, on which more than 900 people contributed with their ideas!<\/p>\n<h1 style=\"text-align: justify;\">\u00a0<\/h1>\n<h1 style=\"text-align: justify;\">Programmable Logic Controllers<\/h1>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\">Programmable Logic Controllers (PLCs) are located at the core of automation, at the level 1 of the Purdue model.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18958 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image1.png\" alt=\"\" width=\"624\" height=\"351\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image1.png 624w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image1-340x191.png 340w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image1-69x39.png 69w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/p>\n<p style=\"text-align: center;\"><em>ISA representation of the Purdue model<\/em><br \/><a href=\"https:\/\/dale-peterson.com\/2019\/02\/11\/is-the-purdue-model-dead\/\">Is The Purdue Model Dead? &#8211; Dale Peterson: ICS Security Catalyst (dale-peterson.com)<\/a><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\">PLC are embedded, real-time computers that interact directly with the sensors and the actuators to monitor and control a part of the industrial process.<\/p>\n<p style=\"text-align: justify;\">They run an infinite loop, composed of 4 steps :<\/p>\n<p style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18960 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image2.png\" alt=\"\" width=\"458\" height=\"323\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image2.png 458w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image2-271x191.png 271w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image2-55x39.png 55w\" sizes=\"auto, (max-width: 458px) 100vw, 458px\" \/><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\">The \u201clogic\u201d, or code of the PLC, can be written in different languages, as defined in the IEC 61131-3 standard:<\/p>\n<ul style=\"text-align: justify;\">\n<li>Ladder diagram (LD)<\/li>\n<li>Function block diagram (FBD)<\/li>\n<li>Structured text (ST)<\/li>\n<li>Instruction list (IL) [now deprecated]<\/li>\n<li>Sequential function chart (SFC)<\/li>\n<\/ul>\n<h1>\u00a0<\/h1>\n<h1 style=\"text-align: justify;\">The TOP20 document<\/h1>\n<p style=\"text-align: justify;\">The TOP20 document is the result of the online discussions to identify the 20 most important coding practices and can be downloaded from the <a href=\"https:\/\/plc-security.com\/\">project website<\/a>.<\/p>\n<p style=\"text-align: justify;\">Like the OWASP TOP10, it doesn\u2019t aim at describing each and every possible secure coding practice, at least for now.<\/p>\n<p style=\"text-align: justify;\">Each of the TOP20 practice is detailed with the same information:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18962 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image3.png\" alt=\"\" width=\"975\" height=\"498\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image3.png 975w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image3-374x191.png 374w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image3-71x36.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image3-768x392.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\">The 20 practices can be organized in three main categories:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18988 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image1-EN.png\" alt=\"\" width=\"563\" height=\"305\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image1-EN.png 563w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image1-EN-353x191.png 353w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image1-EN-71x39.png 71w\" sizes=\"auto, (max-width: 563px) 100vw, 563px\" \/><\/p>\n<h1>\u00a0<\/h1>\n<h1 style=\"text-align: justify;\">A few examples<\/h1>\n<p style=\"text-align: justify;\">Let\u2019s have a look at one example from each category. For this we\u2019ll use an entry-level PLC from our lab, a traffic light as well as a SCADA supervision.<\/p>\n<p style=\"text-align: justify;\">Unfortunately, each PLC vendor -even each PLC family- uses its own specific programming software; examples showcased here cannot be copy-pasted in another PLC brand code and will require a different implementation.<\/p>\n<p style=\"text-align: justify;\">The PLC code as well as the SCADA project used for the demonstration can be downloaded from <a href=\"https:\/\/github.com\/wavestone-cdt\/plc-code-security\">our github page<\/a>.<\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<h2 style=\"text-align: justify;\">Rule #13: Disable unneeded \/ unused communication ports and protocols<\/h2>\n<p style=\"text-align: justify;\">This practice consists of hardening the PLC. Most PLCs today offer support for several ICS protocols, as well as a variety of additional services like FTP, a web server and many more.<\/p>\n<p style=\"text-align: justify;\">Disabling the services not used and reinforcing the security of the ones enabled (changing default credentials, etc) is a necessary step to reduce the attack surface, and consequently limit the number of security patches to apply in the future (the less features enabled, the more vulnerabilities will be applicable and will have to be patched).<\/p>\n<p style=\"text-align: justify;\"><em>Let\u2019s take a look at the video:<\/em><\/p>\n<p style=\"text-align: justify;\"><a href=\"https:\/\/youtu.be\/uFhJaOEXh5w\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18973 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-093944.png\" alt=\"\" width=\"1279\" height=\"724\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-093944.png 1279w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-093944-337x191.png 337w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-093944-69x39.png 69w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-093944-768x435.png 768w\" sizes=\"auto, (max-width: 1279px) 100vw, 1279px\" \/><\/a><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<h2 style=\"text-align: justify;\">Rules #6 and #8 : Checking inputs at the PLC level<\/h2>\n<p style=\"text-align: justify;\">These two rules can be demonstrated in the same example as they follow the same principle : do not blindly trust external input! For someone like me who has done his fair share of web application pentesting, I couldn\u2019t agree more!<\/p>\n<p style=\"text-align: justify;\">Valid ranges for input values are oftentimes implemented at the SCADA level, leaving room for an attacker to directly write an out-of-range value to the right PLC register.<\/p>\n<p style=\"text-align: justify;\">This is especially true for counters and timers, which should be checked to ensure they\u2019re superior or equal to zero, and that the value is inferior to a high limit that makes sense for the process.<\/p>\n<p style=\"text-align: justify;\"><em>Let\u2019s take a look at the video:<\/em><\/p>\n<p style=\"text-align: justify;\"><a href=\"https:\/\/youtu.be\/Rut6evMsvXA\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18975 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-094045.png\" alt=\"\" width=\"1285\" height=\"715\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-094045.png 1285w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-094045-343x191.png 343w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-094045-71x39.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-094045-768x427.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-094045-1170x650.png 1170w\" sizes=\"auto, (max-width: 1285px) 100vw, 1285px\" \/><\/a><\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<h2 style=\"text-align: justify;\">Monitoring the PLC rules #2 and #5<\/h2>\n<p style=\"text-align: justify;\">We can leverage operational data from the PLC to try to detect abnormal situations that could be cybersecurity incidents.<\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<h3 style=\"text-align: justify;\">PLC state<\/h3>\n<p style=\"text-align: justify;\">Making sure the PLC is in \u201cRUN\u201d mode is critical for the safety and security of operations. A stopped PLC could prevent the SCADA HMI from displaying the right information to the operator, leading to bad decisions.<\/p>\n<p style=\"text-align: justify;\">Likewise, features like input and output \u201cforcing\u201d could result in the SCADA HMI not displaying the real state of the process, and should be detected and clearly displayed to the operator.<\/p>\n<p style=\"text-align: justify;\"><em>Let\u2019s take a look at the video:<\/em><\/p>\n<p style=\"text-align: justify;\"><a href=\"https:\/\/youtu.be\/_Ta35tFAWyY\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18977 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-094122.png\" alt=\"\" width=\"1278\" height=\"721\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-094122.png 1278w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-094122-339x191.png 339w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-094122-69x39.png 69w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-094122-768x433.png 768w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-094122-800x450.png 800w\" sizes=\"auto, (max-width: 1278px) 100vw, 1278px\" \/><\/a><\/p>\n<p style=\"text-align: justify;\">This technique can also be used to detect PLCs in \u201cPROGRAM\u201d mode, which allows the PLC to be remotely programed.<\/p>\n<h3>\u00a0<\/h3>\n<h3 style=\"text-align: justify;\">PLC firmware and code version<\/h3>\n<p style=\"text-align: justify;\">Wouldn&#8217;t it be great to be able to query the firmware version of your PLC directly from a Modbus register? Well, you can!<\/p>\n<p style=\"text-align: justify;\">In addition, on our PLC, we can also get a checksum of the PLC code, meaning we can detect if somebody has tampered with the PLC code, raise an alarm, and investigate if we cannot match that to an entry in the change management register.<\/p>\n<p style=\"text-align: justify;\"><em>Let\u2019s take a look at the video:<\/em><\/p>\n<p style=\"text-align: justify;\"><a href=\"https:\/\/youtu.be\/E9Ml2kVWgDM\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18979 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-094352.png\" alt=\"\" width=\"663\" height=\"630\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-094352.png 663w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-094352-201x191.png 201w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-07-094352-41x39.png 41w\" sizes=\"auto, (max-width: 663px) 100vw, 663px\" \/><\/a><\/p>\n<h1 style=\"text-align: justify;\">\u00a0<\/h1>\n<h1 style=\"text-align: justify;\">So what can you do?<\/h1>\n<p style=\"text-align: justify;\">The top 20 document is readily available, but how can you use it?<\/p>\n<p style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-18990 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image2-EN.png\" alt=\"\" width=\"624\" height=\"567\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image2-EN.png 624w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image2-EN-210x191.png 210w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Image2-EN-43x39.png 43w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\">If you want to learn more about PLC code security, you can also check the content we showcased during our workshops at <a href=\"https:\/\/github.com\/wavestone-cdt\/plc-code-security\/tree\/main\/dc30\">DEFCON<\/a> and <a href=\"https:\/\/github.com\/wavestone-cdt\/plc-code-security\/tree\/main\/brucon0x0E\">BruCON<\/a> on our <a href=\"https:\/\/github.com\/wavestone-cdt\/plc-code-security\">Github page<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you work in cybersecurity, you have probably heard of the OWASP TOP 10: a standard awareness document that represents a broad consensus about the most critical security risks to web applications. However, in Industrial Control Systems, we never talk&#8230;<\/p>\n","protected":false},"author":20,"featured_media":18982,"comment_status":"open","ping_status":"closed","sticky":true,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3977,3274],"tags":[],"coauthors":[780],"class_list":["post-18984","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-focus","category-manufacturing-industry-4-0-en"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Top 20 Secure PLC Coding Practices - RiskInsight<\/title>\n<meta name=\"description\" content=\"If you work in cybersecurity, you have probably heard of the OWASP TOP 10: a standard awareness document that represents a broad consensus about the most critical security risks to web applications.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Top 20 Secure PLC Coding Practices - RiskInsight\" \/>\n<meta property=\"og:description\" content=\"If you work in cybersecurity, you have probably heard of the OWASP TOP 10: a standard awareness document that represents a broad consensus about the most critical security risks to web applications.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-07T16:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-11-28T14:48:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screen-Shot-2022-09-12-at-3.45.22-PM-1024x456-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"456\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Arnaud Soulli\u00e9\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Arnaud Soulli\u00e9\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/\"},\"author\":{\"name\":\"Arnaud Soulli\u00e9\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ba5826fcf8223b1c6c350c1d1fffc79\"},\"headline\":\"Top 20 Secure PLC Coding Practices\",\"datePublished\":\"2022-11-07T16:00:00+00:00\",\"dateModified\":\"2022-11-28T14:48:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/\"},\"wordCount\":871,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screen-Shot-2022-09-12-at-3.45.22-PM-1024x456-1.png\",\"articleSection\":[\"Focus\",\"Manufacturing &amp; Industry 4.0\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/\",\"name\":\"Top 20 Secure PLC Coding Practices - RiskInsight\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screen-Shot-2022-09-12-at-3.45.22-PM-1024x456-1.png\",\"datePublished\":\"2022-11-07T16:00:00+00:00\",\"dateModified\":\"2022-11-28T14:48:30+00:00\",\"description\":\"If you work in cybersecurity, you have probably heard of the OWASP TOP 10: a standard awareness document that represents a broad consensus about the most critical security risks to web applications.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screen-Shot-2022-09-12-at-3.45.22-PM-1024x456-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screen-Shot-2022-09-12-at-3.45.22-PM-1024x456-1.png\",\"width\":1024,\"height\":456},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Top 20 Secure PLC Coding Practices\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ba5826fcf8223b1c6c350c1d1fffc79\",\"name\":\"Arnaud Soulli\u00e9\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/arnaud-soullie\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Top 20 Secure PLC Coding Practices - RiskInsight","description":"If you work in cybersecurity, you have probably heard of the OWASP TOP 10: a standard awareness document that represents a broad consensus about the most critical security risks to web applications.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/","og_locale":"en_US","og_type":"article","og_title":"Top 20 Secure PLC Coding Practices - RiskInsight","og_description":"If you work in cybersecurity, you have probably heard of the OWASP TOP 10: a standard awareness document that represents a broad consensus about the most critical security risks to web applications.","og_url":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/","og_site_name":"RiskInsight","article_published_time":"2022-11-07T16:00:00+00:00","article_modified_time":"2022-11-28T14:48:30+00:00","og_image":[{"width":1024,"height":456,"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screen-Shot-2022-09-12-at-3.45.22-PM-1024x456-1.png","type":"image\/png"}],"author":"Arnaud Soulli\u00e9","twitter_misc":{"Written by":"Arnaud Soulli\u00e9","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/"},"author":{"name":"Arnaud Soulli\u00e9","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ba5826fcf8223b1c6c350c1d1fffc79"},"headline":"Top 20 Secure PLC Coding Practices","datePublished":"2022-11-07T16:00:00+00:00","dateModified":"2022-11-28T14:48:30+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/"},"wordCount":871,"commentCount":0,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screen-Shot-2022-09-12-at-3.45.22-PM-1024x456-1.png","articleSection":["Focus","Manufacturing &amp; Industry 4.0"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/","url":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/","name":"Top 20 Secure PLC Coding Practices - RiskInsight","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screen-Shot-2022-09-12-at-3.45.22-PM-1024x456-1.png","datePublished":"2022-11-07T16:00:00+00:00","dateModified":"2022-11-28T14:48:30+00:00","description":"If you work in cybersecurity, you have probably heard of the OWASP TOP 10: a standard awareness document that represents a broad consensus about the most critical security risks to web applications.","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screen-Shot-2022-09-12-at-3.45.22-PM-1024x456-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2022\/11\/Screen-Shot-2022-09-12-at-3.45.22-PM-1024x456-1.png","width":1024,"height":456},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2022\/11\/top-20-secure-plc-coding-practices\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"Top 20 Secure PLC Coding Practices"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ba5826fcf8223b1c6c350c1d1fffc79","name":"Arnaud Soulli\u00e9","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/arnaud-soullie\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/18984","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=18984"}],"version-history":[{"count":4,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/18984\/revisions"}],"predecessor-version":[{"id":19100,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/18984\/revisions\/19100"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media\/18982"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=18984"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=18984"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=18984"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=18984"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}