Monitoring read and write of PLC projects

Kaspersky Industrial CyberSecurity for Networks can monitor industrial network traffic for information about PLC projects and compare this information with previously received information about PLC projects.

A PLC project is a microprogram written for a PLC. A PLC project is stored in PLC memory and is run as part of the industrial process that uses the PLC. A PLC project may consist of blocks that are individually transmitted and received over the network when the project is read or written.

Information about a PLC project/block may be received by the application when it detects operations for reading a project/block from a PLC or writing a project/block to a PLC. The obtained information is saved in Kaspersky Industrial CyberSecurity for Networks. The next time it detects a project/block write or read operation, the application compares the received information about the project/block with the saved information. If the received information about a project/block does not match the latest saved information about that project/block (including when there is no saved information), the application registers the corresponding event.

Receiving information about PLC projects is supported for the following types of devices:

• Emerson DeltaV
• Schneider Electric Modicon: M580, M340
• Siemens SIPROTEC 4 and SIMATIC S7-300, S7-400, S7-1200, S7-1500

You do not need to add Process Control settings for devices to monitor read/write of PLC projects. Read/write of PLC projects is monitored for all detected devices of the listed types.

For each device, the application saves no more than 100 different variants of PLC projects. If a PLC project is transmitted or received by individual blocks, up to 100 different variants of each block are saved.

If the maximum number of saved PLC projects (or PLC project blocks with the same name) has been reached for a device, the application saves a newly detected project/block in place of the oldest project/block.

When monitoring read/write of PLC projects, the application registers events based on Asset Management technology. Events are registered with system event types that are assigned the following codes:

• Codes of event types when a PLC project/block is read:
  • 4000005200 – for a detected read of an unknown block of a project from a PLC (if there is no saved information about this block).
  • 4000005201 – for a detected read of a known block of a project from a PLC (if there is saved information about this block but the obtained information does not match the latest saved information about this block).
  • 4000005204 – for a detected read of an unknown project from a PLC (if there is no saved information about this project).
  • 4000005205 – for a detected read of a known project from a PLC (if there is saved information about this project but the obtained information does not match the latest saved information about this project).
• Codes of event types when a project/block is written to a PLC:
  • 4000005202 – for a detected write of a new block of a project to a PLC (if there is no saved information about this block).
  • 4000005203 – for a detected write of a known block of a project to a PLC (if there is saved information about this block but the obtained information does not match the latest saved information about this block).
  • 4000005206 – for a detected write of a new project to a PLC (if there is no saved information about this project).
  • 4000005207 – for a detected write of a known project to a PLC (if there is saved information about this project but the obtained information does not match the latest saved information about this project).

You can configure the available parameters for event types under Settings → Event types.

You can view information about registered events when connected to the Server through the web interface.