As CODESYS is in widespread use throughout the automation industry, these scenarios become increasingly relevant to CODESYS users as well. Cyberattacks can lead to the unauthorized use or circulation of sensitive expertise, whether deliberate or unintentional. Existing production machinery or plants also run the risk of being compromised and even corrupted. In any case, the consequences can threaten the economic welfare of a company.
Single measures cannot eliminate these threats completely. However, numerous product features in CODESYS help reduce the dangers of typical attack scenarios or even prevent them altogether. In combination with Security procedures defined by the international standard IEC 62443, the Security features included in CODESYS provide maximum Security for your machinery, plants, and production processes.
This website provides information on the following topics:
- Technical Security functions in CODESYS
- General, system-independent recommendations
- Established Security procedures
- Download: CODESYS Security Whitepaper, Coordinated Disclosure Policy
- Encryption of the application source code:
Protect your application know-how with a password, dongle, or X.509 certificates.
- User management on the project level:
Define in detail the users authorized to read or write specific objects of your source code.
- Encrypted communication between the CODESYS Development System and the PLC:
Use your automation device to protect data exchange against unauthorized access.
- User management for controller access:
Avoid risk of failure by clearly defining which user of the PLC is authorized to start and stop the application or execute additional online functions.
- Encryption and signing of the executable application code:
Protect your application against unauthorized reproduction or modification by means of a dongle or X.590 certificates.
- Operation modes for the executable application code:
Protect yourself against unintentional operations on the running machine.
- Interactive login on the target device:
Avoid unintentional access to controllers in the network.
- Easy exchange or recovery of controllers:
Exchange failed systems and easily install a previously performed data backup.
- Encrypted OPC UA communication:
Avoid unauthorized access to data provided by the CODESYS OPC UA Server (under development, release pending).
- Access restrictions via application:
Use a library to define at runtime when specific critical operations must not be performed.
- Enable additional functions:
Define in detail the users authorized to execute or operate specific functions of the application.
In addition to using the special Security features included in CODESYS, automation systems should be protected by methods and procedures like the ones used in other interconnected systems:
- Antivirus protection
- Secure passwords that are changed on a regular basis
- Firewall protection at network interface
- VPN tunnel for the connection of networks
- Careful use of mobile storage media such as USB sticks
Manufacturers and operators should protect their automation systems by using comparable standards to those deployed to protect strictly mechanical or electric systems:
- Not everybody is allowed to access a factory site.
- Not every employee of a factory is allowed to access every area.
- Not every employee in a production area is allowed to access the control cabinet.
In order to avoid errors and problems caused by unauthorized or unintentional access, data access should be divided into manageable and controllable units.
Negligence and a lack of awareness are the most frequent reasons for Security problems. Therefore we recommend that manufacturers and operators of automation systems explain the existing dangers to their employees, familiarize them with appropriate security measures, and urge them to apply these measures.
Users should be familiar with the Security functions in CODESYS and they should know how to deploy these functions effectively.
The CODESYS product development and all security procedures are based on the specifications of the Security standard IEC 62443. Procedures defining how to handle vulnerabilities are established and are being put into practice.
The Security functions integrated in the CODESYS products are permanently updated and extended. All CODESYS software components are regularly checked to detect potential vulnerabilities. Moreover, 3S-Smart Software Solutions commits to resolve verified vulnerabilities within a reasonable period of time. Our Security Whitepaper (PDF) will provide you with important information on the topic of CODESYS Security.