Skip to main content

How To: Security measures in the CODESYS environment

Apply the CODESYS security measures consistently to protect all areas of your automation environment step by step.

  1. In general, an installed CODESYS Development System can be jeopardized by the possibility of additional installations or libraries being manipulated or replaced. To ensure the integrity of the development environment, various signing mechanisms are supported.

    • Sign add-on packages in CODESYS Package Designer.

    • Sign libraries when saving in CODESYS Development System.

    • Sign HTML5 controls in the visualization element repository.

  2. Create a project for programming your application(s) in CODESYS.

    Create a project user management. Configure credentials for users and their permissions. You can individually configure the Access Control in the Properties of each object.

    Encrypt the project in the Security category of the Project Settings with at least a password – or even better with a certificate.

    For more information, see the following: How To: Protect the development and source code

  3. If you create a library which should be installed for use in other projects, then protect it with a signature. Every component which can be additionally installed offers hackers the opportunity to attack the programming system.

    For more information, see the following: Protecting and signing compiled libraries

  4. As a library developer, you can use the CmpX509Cert.library library to create certificates for specific functions blocks on the PLC.

    For more information, see the following: How To: Use CmpX509Cert for certificate generation

  5. Manage the project in a version control system, such as CODESYS Git, for the purpose of data security and secure exchange with others.

    For more information, see the following: Connecting a project to version control

  6. Before downloading the created application:

    Encrypt and/or sign the application with a certificate. The necessary actions are best started in the Properties dialog of the application on the Security tab.

    For more information, see the following: How To: Encrypt or sign a boot application

    You can use the CmpX509Cert.library library to generate X.509 certificates specifically from within your IEC application. The certificates can be specifically assigned to a particular application or a unit within the application.

    For more information, see the following: How To: Use CmpX509Cert for certificate generation

  7. Configure the connection to the PLC and protect it:

    Make sure that the Encrypted Communication security setting is enabled in the device editor. Scan the network for the PLC.

    After selecting the PLC, you will be prompted to create and install a certificate for encrypted communication which is valid for at least a limited period of time.

    When prompted, enable the device user management. At the next prompt, configure a device user. Log in to the PLC with the credentials assigned for this purpose.

    For more information, see the following: How To: Encrypt communication with a certificate and change the security policy

  8. You can now run the application on the PLC.

    Consider whether you want to install a long-term certificate for encrypted communication at this time. Check the runtime system security policy and adjust it if necessary.

    For more information, see the following: How To: Encrypt communication with a certificate and change the security policy

  9. The application is running on the controller. You can do the following for improved security: Audit log, Exclude specific critical user actions via application, Use PLC operating modes, Configure interactive login.

  10. Do you use an OPC UA Server and symbol sets for the exchange with the PLC?

    Encrypt the communication between the OPC UA Server and Client with a certificate which can be set up using the security screen when the connection is first established. Configure the CODESYS user and rights management also for actions on the OPC UA Server. Restrict access to symbols for specific device user groups.

    For more information, see the following: How To: Securely use the OPC UA Server and How To: Configure symbol sets

  11. Do you use a WebVisu or TargetVisu?

    For visualizations, you should use the "runtime-based user management", which is linked to the user management on the controller. For a WebVisu, communication with the web server must be certificate-encrypted. You should also always sign the used HTML5 controls because they can also be installed and therefore offer a target for hackers.

    You should also encrypt communication with the relevant PLC for a remote TargetVisu.

    For more information, see the following: How To: Sign HTML5 controls, How To: Protect communication to the WebVisu, and How To: Protect communication to the remote TargetVisu

  12. Do you use the Automation Server?

    You have already assigned a server password at the time of purchase. Use multifactor authentication (MFA) when logging in. Configure user management on the CAS and assign specific access permissions for actions on the server and on server objects. Configure the certificate-encrypted connection between the Automation Server and the Edge Gateway. A "Quick Setup" makes this easier. Use the "Audit Trail" function to make actions and access traceable.

    For more information, see the following: How To: Security for CODESYS Automation Server

  13. Use CODESYS Git

    If possible, use SecureString passwords when using the scripting interface.

    For more information, see the following: Connecting a project to version control

  14. Think about backup actions in time. Possible recovery of lost data is also part of the security measures.

    For more information, see the following: How To: Backup and Restore

In this section: