Security in CODESYS
Security in a typical automation environment
In an automation environment, various areas must be protected from unauthorized access and manipulation.
Data theft
Unauthorized access to confidential data
Unauthorized data changes (e.g. by hackers)
System failures due to attacks or misconfiguration
Unclear or unverified identities during access
The following areas are considered particularly relevant to security.
Programming interface (CODESYS Development System) including remote maintenance access
Controller (PLC) during configuration, operation, and monitoring
Real-time communication between controllers
Fieldbus interfaces to sensors, actuators, and machines
General requirements for a protected environment
This ensures a protected environment in addition to the resources available in CODESYS:
Use of antivirus solutions
Strict password rules and secure authentication mechanisms
Use of a firewall to protect network boundaries
Separation of office, production, and fieldbus networks
Use of encrypted and authenticated protocols (e.g. VPN) for communication between networks
Strict control when using external storage devices
Mechanical access protection for controllers
Security in the CODESYS environment
For more information about cybersecurity in CODESYS, see the following: CODESYS Security.
Important
The security functions which are integrated into CODESYS products are constantly updated and expanded. All CODESYS software components are regularly checked for potential security vulnerabilities. In addition, the CODESYS Group is committed to resolve verified security vulnerabilities within a reasonable period of time. In our Security Whitepaper (PDF), you will find all important information about CODESYS Security.
An important part of the security measures is the use of certificates for the encryption of source code, boot application, packages, and above all communication between CODESYS Development System and the PLC. The use of X.509 certificates is supported for this.
What is protected and where? | Supporting Features and Tools | What is protected against and how? |
|---|---|---|
Package | CODESYS Package Designer | Protection against non-integrated installations: |
CODESYS programming system Project (source code) |
| Protection against unauthorized access (read access and/or write access) to the project; ensure identity integrity:
Ensure installation integrity: See above in package |
Runtime System CODESYS Control for <device> SL Communication with the PLC |
| Protection against unauthorized data access (read access and/or write access) and actions on the PLC: Protection against data loss due to system failure: |
Use of the CODESYS Visualization CODESYS WebVisu | Security Screen (certificate for web server) Visualization Manager: User management Visu Visualization Element Repository for signing elements | Protection against unauthorized access to data/values and actions (operability) in Visu online mode: |
Use of the CODESYS Automation Server | Quick Setup for setting up encrypted communication between the edge gateway and the controller | Protection against unauthorized access to data/values and actions (operability) in CAS online mode:
|
Communication via OPC UA | Secure OPC UA Server, security according to the OPC UA specification:
| Protection against unwanted data access when exchanging data via the OPC UA Server:
Protection against unauthorized symbolic access to PLC variables:
|
Project repository in CODESYS Git | Dialogs in CODESYS Git Dialog: Options – Git in CODESYS Development System | Protection against unauthorized access to data managed in Git:
|
Project repository in CODESYS SVN | Dialogs in CODESYS SVN Dialog: Options – SVN in CODESYS Development System | Protection against unauthorized access to data managed in SVN: Certificate-encrypted connection and two-factor authentication for communication via SSH |