Usability Study of Security Features in Programmable Logic Controllers

TL;DR

This study investigates the usability challenges in configuring security features of Programmable Logic Controllers (PLCs), revealing that complex interfaces and misconceptions hinder effective security management in industrial environments.

Contribution

First empirical usability study on PLC security configuration highlighting design issues and providing recommendations for improved security usability in industrial control systems.

Findings

Unfamiliar labels and misleading terminology complicate security setup.

Misperceptions about security controls are common among users.

Design constraints like safety and infrequent updates pose usability challenges.

Abstract

Programmable Logic Controllers (PLCs) drive industrial processes critical to society, for example, water treatment and distribution, electricity and fuel networks. Search engines, e.g., Shodan, have highlighted that PLCs are often left exposed to the Internet, one of the main reasons being the misconfigurations of security settings. This leads to the question - why do these misconfigurations occur and, specifically, whether usability of security controls plays a part. To date, the usability of configuring PLC security mechanisms has not been studied. We present the first investigation through a task based study and subsequent semi-structured interviews (N=19). We explore the usability of PLC connection configurations and two key security mechanisms (i.e., access levels and user administration). We find that the use of unfamiliar labels, layouts and misleading terminology exacerbates an already complex process of configuring security mechanisms. Our results uncover various misperceptions about the security controls and how design constraints, e.g., safety and lack of regular updates due to the long-term nature of such systems, provide significant challenges to the realization of modern HCI and usability principles. Based on these findings, we provide design recommendations to bring usable security in industrial settings at par with its IT counterpart.