plc-code-analysis
Goal
Perform structured, multi-perspective security and quality analysis of PLC code, producing a severity-ranked findings report. Acts as an automated "second pair of eyes" for automation engineers.
Independence from tia-openness-roadmap
This skill is NOT routed by tia-openness-roadmap. It has its own trigger patterns and
operates independently. The Openness roadmap handles engineering automation (create, modify,
import/export via API). This skill handles analysis and review of existing code.
The skill CAN consume code retrieved via MCP tools or Python/C# Openness exports, but it does not depend on them.
Input recognition
Claude receives PLC code in one of three ways. Identify which applies before starting analysis.
Format 1 — Raw SCL / Structured Text
The user pastes or uploads .scl, .st, or plain-text PLC code. This is the simplest case.
Parse directly as text. Look for FUNCTION_BLOCK, FUNCTION, ORGANIZATION_BLOCK, DATA_BLOCK
headers to identify block boundaries.
Format 2 — SimaticML XML (exported LAD/FBD/SCL)
The user provides .xml files exported from TIA Portal. These follow the SimaticML schema.
Key navigation points:
<SW.Blocks.FB>,<SW.Blocks.FC>,<SW.Blocks.OB>,<SW.Blocks.DB>— block type<Interface>→<Section Name="Input|Output|InOut|Static|Temp|Constant">— variable declarations<ObjectList>→<CompileUnit>— individual networks<FlgNet>inside CompileUnit — LAD/FBD network logic as a directed graph<Access>elements — variable references with scope and UID<Part>elements — instructions (contacts, coils, function calls)<Wire>elements — connections between parts (data/signal flow)<StructuredText>— inline SCL within LAD/FBD networks<Comment>— block and network comments (valuable for process context)- Block attributes in root element:
BlockType,Number,Programming language,MemoryLayout(Optimized/Standard),HeaderAuthor,HeaderVersion
For LAD/FBD analysis, reconstruct the logic flow from the <FlgNet> graph:
Parts are nodes, Wires are edges. Follow Powerrail → Contact chain → Coil/Function to
understand each network's behavior.
Format 3 — MCP-assisted retrieval
If the TIA Portal MCP server is available, context retrieval is required before issuing security findings. Use the current Totally Integrated Claude MCP tools:
browse_project_tree— map PLCs, block folders, block names, and execution entry pointsget_block_content— retrieve SIMATIC SD YAML for each block under reviewlist_tag_tables— retrieve PLC tags, user constants, and externally writable namesread_cross_references— inspect call paths, unused blocks, and variable referencesread_hardware_config— retrieve CPU, network, IP, subnet, and interface settingscompile_check— record compile errors/warnings when the user asks for remediation
Legacy source documents may name equivalent operations as GetBlocksWithHierarchy,
ExportBlock, GetBlockInfo, GetTypes / GetTypeInfo, or GetHardwareConfig.
Treat those as conceptual aliases, not callable tool names.
If MCP is unavailable or a required context item cannot be retrieved, continue only as a limited review. The final report must include a context manifest and mark affected findings as inference-based where missing declarations, UDTs, call paths, tag tables, or hardware mapping prevent confirmation.
Analysis workflow
The analysis is performed in sequential passes. Each pass loads one reference file, analyzes the code through that specific lens, and produces findings.
Critical instruction: After each pass, Claude summarizes the findings from that pass in a compact internal list before loading the next reference. This prevents token pressure from accumulating raw analysis across all passes.
Pass order
| Pass | Reference file | Focus |
|---|---|---|
| 1 | references/process-architect.md | Physical plausibility and process context |
| 2 | references/security-practices.md | Top 20 Secure PLC Coding Practices + communication hardening |
| 3 | references/threat-mapping.md | MITRE ATT&CK for ICS technique identification |
| 4 | references/compiler-critic.md | Siemens platform bugs, CWE memory safety, safety boundary |
| 5 | references/hardware-reviewer.md | Hardware config, access settings, network security |
Pass order rationale: Process context comes first because understanding what the code physically controls determines the severity of all subsequent findings. A missing range check on a status indicator is Low; the same flaw on a chemical dosing pump is Critical.
Per-pass procedure
Before starting the passes, build a compact context manifest:
- Code: pasted/exported blocks, block names, language, line/network references
- Declarations: VAR_INPUT, VAR_OUTPUT, VAR_IN_OUT, VAR_STATIC, VAR_TEMP, constants
- Types: UDTs, arrays, structures, optimized vs standard access metadata when known
- Flows: call tree, cross references, external write sources, HMI/SCADA inputs
- Hardware: CPU, communication settings, network interfaces, safety-related mapping
- Verification: baseline compile status if available, and whether simulation was run
For each pass:
- Load the reference file
- Work through every checklist item against the provided code
- Record each finding with: severity, category tag, location, evidence, inference level, description, impact, remediation, and verification requirement
- Produce a compact summary of findings from this pass
- Proceed to next pass
After all passes, run a final verification synthesis:
- Challenge high/critical findings against the context manifest
- Downgrade or label findings that depend on missing UDTs, call paths, or hardware mapping
- Flag any proposed remediation that requires
compile_check, simulation, or safety review - Do not present generated PLC code as deployable without compile and engineering validation
Hardware reviewer conditionality
If no hardware configuration data is available (user only provided code, no HW config, no MCP access), the Hardware Reviewer pass still runs but produces a single finding:
#### [INFO] Hardware configuration not available
- **Category:** HW-REVIEW
- **Description:** No hardware configuration data was provided or retrievable.
The following checks could not be performed: PUT/GET access status, web server
settings, communication protocol security, access level configuration,
protection level status.
- **Evidence:** No `read_hardware_config` result or hardware export was available.
- **Inference level:** Confirmed limitation
- **Verification required:** Provide hardware export or enable MCP hardware retrieval.
- **Remediation:** Provide hardware configuration export or enable MCP server
access for a complete security assessment.
Output format
After all passes complete, merge findings, deduplicate (same issue found by multiple passes gets the highest severity assigned and cross-references both categories), and sort by severity.
## PLC Code Analysis Report
**Analyzed:** [block names / file names]
**Input format:** SCL / SimaticML XML (LAD) / SimaticML XML (FBD)
**Analysis date:** [date]
**Passes completed:** Process Architect, Security Practices, Threat Mapping,
Compiler Critic, Hardware Reviewer, Verification Synthesis
### Context Manifest
| Context item | Status | Source |
|--------------|--------|--------|
| Block logic | Provided / Retrieved / Missing | Paste / file / `get_block_content` |
| Variable declarations | Complete / Partial / Missing | block interface / XML / YAML |
| UDT and array definitions | Complete / Partial / Missing | source / `get_block_content` |
| Call tree and cross references | Complete / Partial / Missing | `browse_project_tree` / `read_cross_references` |
| Tag tables and external inputs | Complete / Partial / Missing