From 2001, the advent of ICS security, until 2019 PLC security was a “bump-in-the-line”. Place a Tofino or other industrial security solution in the network path to secure network communication to and from the PLC.
This was widely understood to be a sub-optimal and temporary solution that would only be deployed in the most critical systems run by highly security concious asset owners. It is much better to have authentication, other protection controls, and detection integrated in the PLC. Better in terms of upfront and lifecycle costs, ease of deployment, and the potential security controls.
Did I say temporary? Maybe semi-permanent?
We are finally seeing security controls integrated into PLCs.
It began with wrap ICS protocols in TLS offerings. Rockwell Automation released CIP Security and Schneider Electric released Modbus/TCP Security in their PLCs. More ICS protocols and vendors are taking this approach. It finally addresses the lack of authentication / insecure by design / access = compromise problem in PLCs and other Level 1 devices. Now we need to see asset owners use this feature.
Earlier this month Mitsubishi Electric and Nozomi Networks took embedded PLC Security to the next level by integrating a module that has access to the backplane data in the PLC in an offering called Arc Embedded. It extends Nozomi’s sensor down to the PLC level.
The current features of Arc Embedded are only slightly better than what is available by monitoring network traffic and querying the PLC in the same manner as an engineering work station or HMI would. In the briefing I thought claims of Level 0 – 1 east/west visibility and a couple of other areas were overstated.
Perhaps the biggest benefit of the current offering is the unsolicited response / report by exception approach when a potential security issue arrises rather than waiting for periodic polling. This approach provides more timely security events and alerts with less network traffic.
The most exciting part of Arc Embedded is you have security code with access to the PLC backplane. It’s the beginning of PLC Endpoint Detection and Response (EDR). We’ve had bleeding edge research sessions at S4 on evaluating PLC logic and program changes for attack code and preventing it from loading. Let your imagination run wild with what security controls you could implement with this backplane access.
Sure there will be challenges with false positives, processing power, and latency. Arc Embedded architecture is finally at a place where a PLC vendor (Mitsubishi) could begin to tackle these challenges.
Arc Embedded is available in Mitsubishi Electric’s MELSEC iQ-R family of PLCs. The C intelligent function module is required, as ARC Embedded is a software solution running on that module. It can be purchased directly from Mitsubishi Electric, which is another type of integration.
I’ll be watching for similar offerings from PLC competitors. This could be additional Arc Embedded integrations, other OT detection vendor solutions, or possibly a Rockwell Automation, Siemens, or ICS vendor doing it themselves.