One Year of Top 20 Secure PLC Coding Practices

Top 20 scope and project setup

Why is everyone so excited about the Top 20 Secure PLC Coding Practices?

Top 20 facts and stats

  • Translation of the Top 20 into 15 languages are being created (5 are finished already).
  • There have been more than 20 presentations, and Top 20 trainings have been set up too, including virtual machines for hands-on training.
  • We have been approached by asset owners, vendors and integrators who are looking into implementing the Top 20 — we‘ll get to that later.
  • MITRE CWE wants to integrate the Top 20 into their CWE database.
  • The Top 20 were included in the NATO’s guide for protecting industrial automation and control systems agains cyber incidents security.
  • ISA has created a video in their new Micro Learning Modules explaining the Top 20.
  • The Singapore Cybersecurity Agency (CSA) is including parts of the Top 20 into their cybersecurity code of practice for OT.
  • The Top 20 have a limited scope, they’re restricted to what can be changed directly in PLCs.
  • The Top 20 are not the result of scientific work. They are neither complete nor validated.
  • Also, they are not a standard, they are not consensus-based. They are a community project “written by engineers for engineers” and a first draft. There is ample room for improvement.

Top 20 Secure PLC Coding Practices from a security capabilities perspective

Integrity of PLC logic

Integrity of PLC variables

Integrity of I/O values


Hardening and Resilience

Secure Coding vs Secure PLC Coding

Lesson learned from the security capabilities perspective

  • The Top 20 mostly improve integrity.
  • They make use of PLC specific architecture and characteristics like real time capabilities and process knowledge.
  • And they are written for the imperfect PLC’s (from a security perspective) that are on the market today.

Top 20 Secure Coding Practices from a threats perspective

Lesson learned from the threat perspective

Top 20 Secure PLC Coding Practices from an implementation perspective

Timeline of PLC security

PLC Security for asset owners

PLC Security for integrators

PLC Security for vendors

Lesson learned from the implementation perspective

Top 20 Secure PLC Coding Practices Project Website:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store