Welcome to this final entry in the series detailing additional cybersecurity related standards in the OT environment. This article will be looking into the:
- IEC 61131 Programmable Logic Controllers (PLC’s)
This standard is not directly related to cybersecurity but is a foundation for securing an OT infrastructure. PLCs are by their very nature programmable, and therefore hackable! You can find a link to an article on how to program PLCs in a secure manner, written by me, at the end of this article.
Just like in previous articles in this series, the very nature of this standard dictate that I can only provide overviews, but I hope enough of an overview to give you enough information to aim at the relevant areas for your own needs! Let’s begin with IEC 61131.
IEC 61131
IEC 61131 defines how PLCs are built, programmed, and used in industrial automation. It is one of the most influential OT standards in manufacturing, energy, water, and infrastructure.
Like many other OT standards, IEC 61131 is a multi-part standard. Each part covers a different aspect of PLC systems and their use in industrial automation.
|
Part |
Title |
What it Covers |
||
|
IEC 61131-1 |
General Information |
|
||
|
IEC 61131-2 |
Equipment Requirements and tests |
Electrical, mechanical, environmental, and EMC requirements for PLC hardware |
||
|
IEC 61131-3 |
Programming Languages |
The famous PLC languages: LD, FBD, ST, SFC (IL is deprecated), plus program structure and execution model |
||
|
IEC61131-4 |
User Guidelines |
Practical guidance for selecting, installing, and using PLCs |
||
|
IEC 61131-5 |
Communications |
Communication functions and messaging concepts for PLC systems |
||
|
IEC 61131-6 |
Functional Safety |
Extension for safety-related PLC applications (aligned with IEC 61508, see first article in this series) |
||
|
IEC 61131-7 |
Fuzzy Control Programming |
Standardized support for fuzzy-logic control (rarely used in practice) |
||
|
IEC 61131-8 |
Application Guidelines |
Additional guidance for application design and engineering practices |
||
|
IEC 61131-9 |
Single-drop digital communication |
Small-device and sensor/actuator communication (IO-level networking) |
||
|
IEC 61131-10 |
XML Schemas |
XML representation of IEC 61131-3 projects for tool interchange |
In real-world OT environments:
- -2 matters to hardware vendors and system certifiers
- -3 is what engineers use every day
- -6 is relevant for safety PLCs
- -10 supports tool interoperability
For most practitioners, IEC 61131-3 is “the” standard, while the other parts define the ecosystem around PLCs. The following sections provides a few more details one some of the more ‘famous’ parts of IEC 61131.
The Most Famous Part: IEC 61131-3 (Programming Languages)
IEC 61131-3 defines five PLC programming languages:
|
Type |
Language |
Typical Use |
|
Graphical |
LD- Ladder Diagram |
Electronic logic technicians |
|
Graphical |
FBD-Function Block Diagram |
Process Control |
|
Textual |
ST-Structured Text |
Complex Logic, Math, Algorithms |
|
Graphical |
SFC-Sequential Function Chart |
State Machines, Sequences |
|
Textual |
IL-Instruction List |
Low level Logic |
Most modern PLC environments support LD, FBD, ST, and SFC. Structured Text (ST) has become the dominant language for complex automation. All these languages comes with their own unique security challenges, and each PLC vendor have their own approach to solving or mitigating these challenges, so please consult with you chosen vendor.
Program Structure Model
IEC 61131 defines a clear software hierarchy:
- Configuration – Entire PLC system
- Resource – CPU / execution environment
- Task – Cyclic or event-driven execution
- Program – Main control logic
- Function Block – Reusable logic with memory
- Function – Stateless logic
This gives PLC software a formal, predictable structure.
Hardware Scope (IEC 61131-2)
IEC 61131 also covers:
- Electrical characteristics
- Environmental requirements
- EMC behaviour
- Mechanical design
This ensures PLCs are suitable for harsh industrial environments., a reality that exist in many more situations than we realize!
Benefits
Using IEC 61131 brings both technical and organizational advantages to industrial automation projects. Its value lies in standardization, predictability, and long-term maintainability. Key benefits include
- Vendor Independence & Portability
- Reduced Engineering Risk
- Faster Development & Commissioning
- Maintainability Over Decades
- Skill Availability & Training
- Safety & Compliance Alignment
- Long-Term System Viability
IEC 61131 provides a common, deterministic, and future-proof way to build industrial control software that remains understandable, portable, and maintainable over decades. That longevity is why it remains dominant despite newer paradigms.
Outro
This concludes the series on OT standards that are directly related to IEC 62443, or adjacent to it. I sincerely hope that the series on IEC 62443, and this one, have provided you with insight into the complexities of OT environments and their associated challenges, when integrated into the normal IT environments. Having these challengers at the forefront of your mind, when interacting with, or integrating with IT, is of the UTMOST importance.
This importance will only increase as the geopolitical complexity increases, and critical infrastructures becomes geopolitical tools in the toolbox of nation states in conflicts with one another.
OT Security series: Part I | Part II | Part III
Check out also IEC 62443: A Cybersecurity Guide for Industrial Systems
Part I | Part II | Part III | Part IV | Part V | Vocabulary
Tom Madsen
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book “The Art of War for Cybersecurity”. He is currently writing a book ‘Security Architecture – How & Why’.
Leave a Reply