Skip to main content
  • SECURITY
  • Step-by-Step Security with CODESYS

Step-by-Step Security with CODESYS

  1. The installed CODESYS Development System is at risk from hackers in that additional installations and used libraries could be manipulated or replaced. The signing of add-on packages (in CODESYS Package Designer), libraries (when saving in CODESYS), and HTML5 controls (in the visualization element repository) helps against this.

  2. Create a project for programming your application(s) in CODESYS.

    Create a project user management. Configure credentials for users and their permissions. You can individually configure the Access Control in the Properties of each object.

    Encrypt the project in the Security category of the Project Settings with at least a password – or even better with a certificate.

    For more information, see: Secure Development / Protecting the Source Code

  3. If you create a library which should be installed for use in other projects, then protect it with a signature. Every component which can be additionally installed offers hackers the opportunity to attack the programming system.

    For more information, see: Protecting and Signing Compiled Libraries

  4. As a library developer, you can use the CmpX509Cert.library library to create certificates for specific functions blocks on the PLC.

    For more information, see: library CmpX509Cert.library for certificate generation

  5. Manage the project in a version control system such as CODESYS Git, for the purpose of data security and secure exchange with others.

    For more information, see: Managing a project in CODESYS Git or CODESYS SVN

  6. Before downloading the created application:

    Encrypt and/or sign the application with a certificate. The necessary actions are best started in the Properties dialog of the application on the Security tab.

    For more information, see: Encrypting and/or Signing the Boot Application

    You can use the CmpX509Cert. library library to create certificates specifically for a certain IEC application or a unit from it.

    For more information, see: library CmpX509Cert.library for certificate generation

  7. Configure the connection to the PLC and protect it:

    Make sure that the Encrypted Communication security setting is enabled in the device editor. Scan the network for the PLC.

    After selecting the PLC, you will be prompted to create and install a certificate for encrypted communication which is valid for at least a limited period of time.

    When prompted, enable the device user management. At the next prompt, configure a device user. Log in to the PLC with the credentials assigned for this purpose.

    For more information, see: Encrypting Communication with a Certificate and Changing the Security Policy

  8. You can now run the application on the PLC.

    Consider whether you want to install a long-term certificate for encrypted communication at this time. Check the runtime system security policy and adjust it if necessary.

    For more information, see: Encrypting Communication with a Certificate and Changing the Security Policy

  9. The application is running on the controller. You can do the following for improved security: Audit log, Exclude specific critical user actions via application, Use PLC operating modes, Configure interactive login.

  10. Do you use an OPC UA Server and symbol sets for the exchange with the PLC?

    Encrypt the communication between the OPC UA Server and Client with a certificate which can be set up using the security screen when the connection is first established. Configure the CODESYS user and rights management also for actions on the OPC UA Server. Restrict access to symbols for specific device user groups.

    For more information, see: Using a Secure OPC UA Server, Configuring Symbol Sets

  11. Do you use a WebVisu or TargetVisu?

    For visualizations, you should use the "runtime-based user management", which is linked to the user management on the controller. For a WebVisu, communication with the web server must be certificate-encrypted. You should also always sign the used HTML5 controls because they can also be installed and therefore offer a target for hackers.

    You should also encrypt communication with the relevant PLC for a remote TargetVisu.

    For more information, see: Signing an HTML5 Control, Protecting the Communication between the WebVisu and the Browser, and Encrypting Communication with a Remote TargetVisu

  12. Do you use the Automation Server (CAS)?

    You have already assigned a server password at the time of purchase. Use multifactor authentication (MFA) when logging in. Configure user management on the CAS and assign specific access permissions for actions on the server and on server objects. Configure the certificate-encrypted connection between the Automation Server and the Edge Gateway. A "Quick Setup" makes this easier. Use the "Audit Trail" function to make actions and access traceable.

    For more information, see: Security for the CODESYS Automation Server

  13. Use CODESYS Git

    If possible, use SecureString passwords when using the scripting interface.

    For more information, see: Managing a project in CODESYS Git or CODESYS SVN

  14. Think about backup actions in time. Possible recovery of lost data is also part of the security measures.

    For more information, see: Backup/Restore

: