CODESYS Security

Available measures and procedures in the IEC 61131-3 development system

Modern industrial automation systems are interconnected – regardless of whether they are operated based on classic designs or aspects of Industry 4.0 or IIoT. Both of these present vulnerabilities to cyberattacks on very different levels.

Overview of potential weaknesses in an industrial control network

As CODESYS is in widespread use throughout the automation industry, these scenarios become increasingly relevant to CODESYS users as well. Cyberattacks can lead to the unauthorized use or circulation of sensitive expertise, whether deliberate or unintentional. Existing production machinery or plants also run the risk of being compromised and even corrupted. In any case, the consequences can threaten the economic welfare of a company.

Single measures cannot eliminate these threats completely. However, numerous product features in CODESYS help reduce the dangers of typical attack scenarios or even prevent them altogether. In combination with Security procedures defined by the international standard IEC 62443, the Security features included in CODESYS provide maximum Security for your machinery, plants, and production processes.

This website provides information on the following topics:

  • Technical Security functions in CODESYS
  • General, system-independent recommendations
  • Established Security procedures
  • Download: CODESYS Security Whitepaper, Coordinated Disclosure Policy

Security functions in CODESYS: Fix potential vulnerabilities

Security features completely integrated in CODESYS

CODESYS Development System

  • Encryption of the application source code:
    Protect your application know-how with a password, dongle, or X.509 certificates.
  • User management on the project level:
    Define in detail the users authorized to read or write specific objects of your source code.
  • Encrypted communication between the CODESYS Development System and the PLC:
    Use your automation device to protect data exchange against unauthorized access.

CODESYS Runtime System

  • User management for controller access:
    Avoid risk of failure by clearly defining which user of the PLC is authorized to start and stop the application or execute additional online functions.
  • Encryption and signing of the executable application code: 
    Protect your application against unauthorized reproduction or modification by means of X.590 certificates.
  • Operation modes for the executable application code:
    Protect yourself against unintentional operations on the running machine.
  • Interactive login on the target device:
    Avoid unintentional access to controllers in the network.
  • Easy exchange or recovery of controllers: 
    Exchange failed systems and easily install a previously performed data backup.
  • Encrypted OPC UA communication: 
    Avoid unauthorized access to data provided by the CODESYS OPC UA Server.

Application code

  • Access restrictions via application:
    Use a library to define at runtime when specific critical operations must not be performed.
  • Enable additional functions:
    Define in detail the users authorized to execute or operate specific functions of the application.

Visualization

  • User management for visualizations: 
    Define in detail whether a user is authorized to read or execute certain visualizations.
  • Encrypted communication for the CODESYS WebVisu: 
    Protect data exchange between controller and browser.

CODESYS Automation Server

  • Encapsulation of the devices in the local network: Data exchange with the Server exclusively via CODESYS Edge Gateway.
  • Encrypted communication: Data exchange between the Server and CODESYS Edge Gateway end-to-end encrypted via TLS based on X.509 certificates
  • Reliable user and rights management: Access to objects and information can be fine-tuned, e.g. via object properties and user accounts - the latter additionally secured via two-factor authentication
  • Total transparency of actions: Recording of accesses and changes via audit trail
  • Know-how protection: Signing/encryption of source and compiled binary code via X.509 certificate, dongle, or password
  • Certified security: Regular security audits by external auditors

 

General Security measures for automation systems

In addition to using the special Security features included in CODESYS, automation systems should be protected by methods and procedures like the ones used in other interconnected systems:

  • Antivirus protection
  • Secure passwords that are changed on a regular basis
  • Firewall protection at network interface
  • VPN tunnel for the connection of networks
  • Careful use of mobile storage media such as USB sticks

Operation in a protected environment

Manufacturers and operators should protect their automation systems by using comparable standards to those deployed to protect strictly mechanical or electric systems:

  • Not everybody is allowed to access a factory site.
  • Not every employee of a factory is allowed to access every area.
  • Not every employee in a production area is allowed to access the control cabinet.

In order to avoid errors and problems caused by unauthorized or unintentional access, data access should be divided into manageable and controllable units.

Awareness for IT Security

Negligence and a lack of awareness are the most frequent reasons for Security problems. Therefore we recommend that manufacturers and operators of automation systems explain the existing dangers to their employees, familiarize them with appropriate security measures, and urge them to apply these measures. 

Users should be familiar with the Security functions in CODESYS and they should know how to deploy these functions effectively.

Security procedures

The CODESYS product development and all security procedures are based on the specifications of the Security standard IEC 62443. Procedures defining how to handle vulnerabilities are established and are being put into practice.

More information on the CODESYS Security procedures and on the current CODESYS Security Advisories

 

CODESYS Security

The Security functions integrated in the CODESYS products are permanently updated and extended. All CODESYS software components are regularly checked to detect potential vulnerabilities. Moreover, the CODESYS Group commits to resolve verified vulnerabilities within a reasonable period of time. Our Security Whitepaper (PDF) will provide you with important information on the topic of CODESYS Security.

Coordinated Disclosure Policy

Our Coordinated Disclosure Policy (PDF) gives you all relevant information on how to report vulnerabilities and on how the CODESYS Group handles reported vulnerabilities.

Jobs @ CODESYS