Usually, industrial control systems, for example for controlling power plants, power substations, chemical plants, etc., comprise a plurality of programmable logic controllers that are coupled to sensors and actuators of the industrial control system and that, depending on the data generated by the sensors, control the actuators.
In a programmable logic controller, application logic is executed that processes the input data from the respective sensors and that generates output parameters output to one or more actuators that control the behavior of the respective actuator.
For example, for programming a programmable logic controller, IEC 61131-3 currently defines five programming languages: function block diagram (FBD), ladder diagram (LD), structured text (ST; similar to the Pascal programming language), instruction list (IL; similar to assembly language) and sequential function chart (SFC).
The control system and in particular the controllers may be connected by a communication network that may have connections outside of the control systems. These outside connections may be used for configuring the control system, for example by updating the application logic of a programmable logic controller.
Having an authenticated connection to a programmable logic controller, every engineer having access to the control system may be allowed to change the application logic of the programmable logic controller (IEC 61131-3 compliant, e.g., function block diagram, ladder diagram) according to any purpose, including malicious intents.
This may also give viruses and Trojans that have infected an engineering PC full control of a programmable logic controller, allowing them to change the internal application logic of the programmable logic controller to any value including functionality to disguise the modified code, and thus may take control of the underlying process.
For example, an analysis of Stuxnet had shown that the malicious Stuxnet code injected into the programmable logic controllers was not directly executed, but contained a timer that unnoticeably changed the output (and thus a centrifuge's speed) to extremely low levels for a fraction of time. The code also contains a recording function of the input process image to later fake the input process image for the legitimate control.
The patent application EP 1772787 discloses a programmable logic controller connected to a plurality of input devices such as switches or sensors. According to their input device kind, the input devices are classified as safe or unsafe, for instance, an emergency stop button having a contact composed of double systems is considered safe, whereas ordinary switches with singe contact are considered unsafe. An sequence program configured by combining signals from the input devices in serial or parallel is determined to be safe or unsafe based on the combination logic and the input device classification. The determination is repeated for any change in combination logic, and results in a binary safety attribute to the output of the sequence program.