Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

"Yeah, it does have a...Windows `98 Vibe'': Usability Study of Security Features in Programmable Logic Controllers

Karen Li, Kopo M. Ramokapane, Awais Rashid

TL;DR

This study addresses the usability of security configuration in programmable logic controllers (PLCs), a critical gap given PLCs' Internet exposure. Using a task-based design with a Siemens S7-1200 in the TIA Portal and think-aloud protocols across 19 participants, the authors reveal that unfamiliar terminology, dated interfaces, and complex navigation impede secure configuration. The work identifies four core usability themes—communications, navigation, visuals, and features—and offers concrete design recommendations to bring usable security to ICS settings. Overall, the paper highlights that securing industrial environments requires tailoring HCI practices to PLC/ICS constraints and operator workflows. The findings provide a foundation for improving PLC security usability in critical infrastructure contexts.

Abstract

Programmable Logic Controllers (PLCs) drive industrial processes critical to society, e.g., water treatment and distribution, electricity and fuel networks. Search engines (e.g., Shodan) have highlighted that Programmable Logic Controllers (PLCs) are often left exposed to the Internet, one of the main reasons being the misconfigurations of security settings. This leads to the question -- why do these misconfigurations occur and, specifically, whether usability of security controls plays a part? To date, the usability of configuring PLC security mechanisms has not been studied. We present the first investigation through a task-based study and subsequent semi-structured interviews (N=19). We explore the usability of PLC connection configurations and two key security mechanisms (i.e., access levels and user administration). We find that the use of unfamiliar labels, layouts and misleading terminology exacerbates an already complex process of configuring security mechanisms. Our results uncover various (mis-) perceptions about the security controls and how design constraints, e.g., safety and lack of regular updates (due to long term nature of such systems), provide significant challenges to realization of modern HCI and usability principles. Based on these findings, we provide design recommendations to bring usable security in industrial settings at par with its IT counterpart.

"Yeah, it does have a...Windows `98 Vibe'': Usability Study of Security Features in Programmable Logic Controllers

TL;DR

This study addresses the usability of security configuration in programmable logic controllers (PLCs), a critical gap given PLCs' Internet exposure. Using a task-based design with a Siemens S7-1200 in the TIA Portal and think-aloud protocols across 19 participants, the authors reveal that unfamiliar terminology, dated interfaces, and complex navigation impede secure configuration. The work identifies four core usability themes—communications, navigation, visuals, and features—and offers concrete design recommendations to bring usable security to ICS settings. Overall, the paper highlights that securing industrial environments requires tailoring HCI practices to PLC/ICS constraints and operator workflows. The findings provide a foundation for improving PLC security usability in critical infrastructure contexts.

Abstract

Programmable Logic Controllers (PLCs) drive industrial processes critical to society, e.g., water treatment and distribution, electricity and fuel networks. Search engines (e.g., Shodan) have highlighted that Programmable Logic Controllers (PLCs) are often left exposed to the Internet, one of the main reasons being the misconfigurations of security settings. This leads to the question -- why do these misconfigurations occur and, specifically, whether usability of security controls plays a part? To date, the usability of configuring PLC security mechanisms has not been studied. We present the first investigation through a task-based study and subsequent semi-structured interviews (N=19). We explore the usability of PLC connection configurations and two key security mechanisms (i.e., access levels and user administration). We find that the use of unfamiliar labels, layouts and misleading terminology exacerbates an already complex process of configuring security mechanisms. Our results uncover various (mis-) perceptions about the security controls and how design constraints, e.g., safety and lack of regular updates (due to long term nature of such systems), provide significant challenges to realization of modern HCI and usability principles. Based on these findings, we provide design recommendations to bring usable security in industrial settings at par with its IT counterpart.
Paper Structure (22 sections, 6 figures, 3 tables)

This paper contains 22 sections, 6 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Methodology
  4. Ethical considerations
  5. Experiment Design
  6. Study Protocol
  7. Pilot User Study
  8. Recruitment
  9. Data Analysis
  10. Threats to Validity and Limitations
  11. Results
  12. Where The Complexity Lies
  13. Participants' Perceptions of Security Usability
  14. Usability Suggestions
  15. Recommendations
  16. ...and 7 more sections

Figures (6)

  • Figure 1: Tasks used in our study
  • Figure 2: The key findings from our study can be summarized into four high-level concepts, Communications, Navigation, Visuals, and Features.
  • Figure 3: Mapping between the steps and the complexities that pose various challenges to users while configuring security mechanisms in Siemens PLC.
  • Figure 4: Task 1: Connecting PLC to PC steps comparison
  • Figure 5: Task 2: Access Levels steps comparison
  • ...and 1 more figures