Welcome to this final entry in the series detailing additional cybersecurity related standards in the OT environment. This article will be looking into the:
- IEC 61131 Programmable Logic Controllers (PLC’s)
This standard is not directly related to cybersecurity but is a foundation for securing an OT infrastructure. PLCs are by their very nature programmable, and therefore hackable! You can find a link to an article on how to program PLCs in a secure manner, written by me, at the end of this article.
Just like in previous articles in this series, the very nature of this standard dictate that I can only provide overviews, but I hope enough of an overview to give you enough information to aim at the relevant areas for your own needs! Let’s begin with IEC 61131.
IEC 61131 defines how PLCs are built, programmed, and used in industrial automation. It is one of the most influential OT standards in manufacturing, energy, water, and infrastructure.
Like many other OT standards, IEC 61131 is a multi-part standard. Each part covers a different aspect of PLC systems and their use in industrial automation.
| |||
Equipment Requirements and tests | Electrical, mechanical, environmental, and EMC requirements for PLC hardware | ||
The famous PLC languages: LD, FBD, ST, SFC (IL is deprecated), plus program structure and execution model | |||
Practical guidance for selecting, installing, and using PLCs | |||
Communication functions and messaging concepts for PLC systems | |||
Extension for safety-related PLC applications (aligned with IEC 61508, see first article in this series) | |||
Fuzzy Control Programming | Standardized support for fuzzy-logic control (rarely used in practice) | ||
Additional guidance for application design and engineering practices | |||
Single-drop digital communication | Small-device and sensor/actuator communication (IO-level networking) | ||
XML representation of IEC 61131-3 projects for tool interchange |
In real-world OT environments:
- -2 matters to hardware vendors and system certifiers
- -3 is what engineers use every day
- -6 is relevant for safety PLCs
- -10 supports tool interoperability
For most practitioners, IEC 61131-3 is “the” standard, while the other parts define the ecosystem around PLCs. The following sections provides a few more details one some of the more ‘famous’ parts of IEC 61131.
The Most Famous Part: IEC 61131-3 (Programming Languages)
IEC 61131-3 defines five PLC programming languages:
Electronic logic technicians | ||
FBD-Function Block Diagram | ||
Complex Logic, Math, Algorithms | ||
SFC-Sequential Function Chart | State Machines, Sequences | |
Most modern PLC environments support LD, FBD, ST, and SFC. Structured Text (ST) has become the dominant language for complex automation. All these languages comes with their own unique security challenges, and each PLC vendor have their own approach to solving or mitigating these challenges, so please consult with you chosen vendor.
Program Structure Model
IEC 61131 defines a clear software hierarchy:
- Configuration – Entire PLC system
- Resource – CPU / execution environment
- Task – Cyclic or event-driven execution
- Program – Main control logic
- Function Block – Reusable logic with memory
- Function – Stateless logic
This gives PLC software a formal, predictable structure.
Hardware Scope (IEC 61131-2)
IEC 61131 also covers:
- Electrical characteristics
- Environmental requirements
- EMC behaviour
- Mechanical design
This ensures PLCs are suitable for harsh industrial environments., a reality that exist in many more situations than we realize!
Using IEC 61131 brings both technical and organizational advantages to industrial automation projects. Its value lies in standardization, predictability, and long-term maintainability. Key benefits include
- Vendor Independence & Portability
- Reduced Engineering Risk
- Faster Development & Commissioning
- Maintainability Over Decades
- Skill Availability & Training
- Safety & Compliance Alignment
- Long-Term System Viability
IEC 61131 provides a common, deterministic, and future-proof way to build industrial control software that remains understandable, portable, and maintainable over decades. That longevity is why it remains dominant despite newer paradigms.
This concludes the series on OT standards that are directly related to IEC 62443, or adjacent to it. I sincerely hope that the series on IEC 62443, and this one, have provided you with insight into the complexities of OT environments and their associated challenges, when integrated into the normal IT environments. Having these challengers at the forefront of your mind, when interacting with, or integrating with IT, is of the UTMOST importance.
This importance will only increase as the geopolitical complexity increases, and critical infrastructures becomes geopolitical tools in the toolbox of nation states in conflicts with one another.
OT Security series: Part I | Part II | Part III
Check out also IEC 62443: A Cybersecurity Guide for Industrial Systems
Part I | Part II | Part III | Part IV | Part V | Vocabulary
