ControlLogix Change Detection

[Jef Davis 0]

I've been working on strategies to implement recommendations from the Top 20 Secure PLC Coding Practices and I'm hoping to get some ideas on #5 to see what others are doing out in the wild:

This involves using a checksum to detect program changes and I'm currently working with a ControlLogix program. The Logix 5000 Controllers Information and Status Programming Manual covers change detection in chapter 4, which I'd recommend as a starting point; but once I've used the GSV instruction to read AuditValue from Controller, I'm interested in hearing some ideas for more sophisticated ways to monitor the changes that the controller is configured to detect. For instance, making an online edit or enabling/disabling forces increments the AuditValue, but I've yet to find any sort of way to cross-reference that incremented value to which specific change was detected.

That's just one specific objective I'm hoping to implement, but any other ideas or suggestions would be great to hear, as well. Thanks in advance. 

[BobLfoot 301]

@Jef Davis not sure exactly what you're looking for, but I have used MDT Autosave for several years now and it has an automated functionality which checks the PLC program against the library copy and flags deviations.  Having a 7am email report each day let's you know nothing has been changed without an audit entry.

[Jef Davis 0]

Thanks, @BobLfoot. I'm familiar with different tools that can monitor variances in running programs against an archived copy, but what I'm looking at here is the system value stored in the processor that monitors individual changes. The AuditValue sourced from a GSV will provide a hex value (you can view it under Security in Controller Properties). ISA and AB both recommend using this to more tightly monitor any changes that occur, but no one really seems to do anything beyond obtaining the hex value itself. For instance, with the AuditValue, you could log an alarm to the HMI if an online edit is made, forces enabled/disabled, keyswitch position change, and about 30 other conditions. From a security perspective, being able to log an event and possibly even being able to respond to it in real-time is a huge benefit, but I'm not sure if anyone is actually using this feature aside from simply talking about how it *could* be useful...I've yet to see any real-world examples of people using AuditValue in a program to monitor changes.

[pcmccartney1 141]

I would store the last known hex value. Then compare the new value to the previous value and alarm if needed.

[BobLfoot 301]

Would you happen to have the URL of the " The Logix 5000 Controllers Information and Status Programming Manual " you refer to @Jef Davis?

[NetMatt 0]

Hey Bob, here you go, see page 46 or 47 or so for the Audit value.

Logix 5000 Controllers Information and Status Programming Manual (Publication 1756-PM015K-EN-P) (rockwellautomation.com)

[NetMatt 0]

(I work for MDT disclaimer )

Yes, this could be a good way to get notified of some changes in a Rockwell PLC, and if stored in a register, you could possibly use a OPC tag to monitor this for real time changes.  It is a good starting point if you have no change detection or tracking.

The problem we have heard from customers on "it changed" only notification is it becomes noisy to the point of being ignored.  I like the goal/idea of #5 in that list, and support it, but it is only a small part of a larger solution needed.

Software developers store their code in a change repository (i.e. GIT, SVN, etc) for a reason, and PLC developers should do the same.  It allows for traceability, collaboration, communication, context and recovery, which all contribute to a more secure environment.  Without context and additional data (i.e. what changed, why the change was made, who made the change, when was the change made, etc) it is not going to provide the information needed to make a judgement call needed to ignore, accept, approve or cause alarm. In the end, (of course) I recommend a system like MDT or Auvesy provides for a complete automation tracking solution!