What does "security" mean?

Security in a typical automation environment

. What should be protected against?

Data theft
Unauthorized access to data
Data modification (hacker)
System failure
Unclear identity during access

. Vulnerable points

Programming interface (CDS) including remote maintenance
PLC, operation + monitoring
Real-time communication between controllers
Fieldbus interfaces

General requirements for a "protected environment"

This ensures a protected environment in addition to the resources available in CODESYS:

Use of virus protection; strict password rules; firewall; separation of office, production and fieldbus networks; use of encrypted and authenticated protocols (VPN) for communication between networks; strict control when using data storage devices; mechanical access protection for controllers

Security in CODESYS

For an overview, also see the following section on our website: CODESYS SECURITY

For general information about the topic of security, see the help: Basic information

The security functions which are integrated into the CODESYS products are constantly updated and expanded. All CODESYS software components are regularly checked for potential security vulnerabilities. In addition, the CODESYS Group is committed to resolve verified security vulnerabilities within a reasonable period of time. In our Security Whitepaper (PDF), you will find all important information about CODESYS Security.

An important part of the security measures is the use of certificates for the encryption of source code, boot application, packages, and above all communication between CODESYS Development System and the PLC. The use of X.509 certificates is supported for this.

What is protected and where?	What is protected against and how?	"Resources"
Package	Protection against non-integrated installations: Signing of packages with a certificate	CODESYS Package Designer
CODESYS programming system Project (source code)	Protection against unauthorized access (read access and/or write access) to the project; ensure identity integrity: Provide write protection to project (source code) Encrypt the project (source code): with password, certificate, or dongle Restrict access to the project and individual objects (user/permission management) Sign libraries Ensure installation integrity: See above under Package	Security Screen (certificates, communication settings) License Manager Password manager in CODESYS Development System
Runtime System CODESYS Control for <device> SL Communication with the PLC	Protection against unauthorized data access (read access and/or write access) and actions on the PLC: Use user/permission management ("group-based", simple) Encrypt CDS–PLC communication Encrypt communication with OPC UA Server Password policy for secure passwords Set a time limit for the password Configure a limited number of login attempts Interactive login to PLC to prevent unintentional access Differentiate between operating modes Time-limited use of critical user actions, such as STOP or RESET Monitoring with audit log: record system events and user actions Protection against data loss due to system failure: Backup/Restore of application and application data	Device editor: Communication, Users and Groups Security Screen (certificates, communication settings) Audit log Backup/Restore in the CODESYS Development System Export/Import of the device user management Password manager for devices
Use of the CODESYS Visualization CODESYS WebVisu	Protection against unauthorized access to data/values and actions (operability) in Visu online mode: User/permission management (runtime-based better than old legacy management) User group-based access to visualization elements Sign element (HTML5) Newest gateway and web server versions Access control and login procedure, login dialogs, password Encrypt connection between web server and visualization client (browser) based on certificates Enabling the web browser with HTTP Security header Encrypting Communication with a Remote TargetVisu	Security Screen (certificate for web server) Visualization Manager: User management Visu Visualization Element Repository for signing elements
Use of the CODESYS Automation Server	Protection against unauthorized access to data/values and actions (operability) in CAS online mode:: Encrypted communication: Edge Gateway – Automation Server Encryption of passwords for PLCs User management with roles and groups Multifactor authentication (TOTP) Configurable password policy Session timeout Recording of access and changes (audit trail)	Quick Setup to set up encrypted communication between edge gateway and controller
Communication via CODESYS OPC UA	Protection against unwanted data access when exchanging data via the OPC UA Server: Using a Secure OPC UA Server (Encryption of the connection to the client, user management) Protection against unauthorized symbolic access to PLC variables: PLC can authenticate OPC clients Configure symbol sets (assign to different users)	Secure OPC UA Server, security in accordance with the OPC UA specification: CODESYS Communication CODESYS Security Agent (certificate for OPC UA Server)
Project repository in CODESYS Git	Protection against unauthorized access to data managed in Git: Certificate-encrypted connection and two-factor authentication for communication with the remote repository SecureString password for using the scripting interface	Dialogs in CODESYS Git Dialog: Options – Git in CODESYS Development System
Project repository in CODESYS SVN	Protection against unauthorized access to data managed in SVN: Certificate-encrypted connection and two-factor authentication for communication via SSH	Dialogs in CODESYS SVN Dialog: Options – SVN in CODESYS Development System