Protecting PLC software using CoDeSys V3.5 and CodeMeter
Software protection is not only relevant to PC software. There are also important reasons for protecting PLC software: machines and plants, and the know-how in embedded software in them, need to be protected against reverse engineering. It also allows new business models to be implemented and guarantees system integrity. Oliver Winzenried, chief executive of Wibu-Systems, explains what’s possible today.
Has the Stuxnet incident made manufacturers and users more aware of the dangers posed by viruses etc., and have they taken the necessary steps to protect themselves?
Users and machine designers are now more aware of the need for security in automation and embedded systems than they were before the Stuxnet incident. Many governments have started programs and set up “cyber defense centers” to protect critical infrastructure such as traffic guidance systems or energy and water utilities which must be protected against attacks from both terrorists and hackers. In the 23.10.2011 edition of the “Frankfurter Allgemeinen” Sunday newspaper, Michael Hange, president of the German Federal Office for Information Security, BSI, called upon industry to report attacks by the Duqu worm. Symantec first warned about this worm which has many similarities to the Stuxnet worm. At the same time, unauthorized manipulation is becoming more and more of a problem. An example: manufacturers of wind power plants are anxious to prevent operators from tuning their wind turbines to generate more energy than specified. This will increase the wear and tear of parts still under guarantee which the manufacturer will then have to replace.
How can automation systems be effectively protected against manipulation?
Technical protection systems make it difficult to reverse engineer equipment, control systems and machines. The embedded software is effectively protected if the program code is encrypted. The encryption key is securely stored in either a dongle or in software which then activates and ties the key to a specific device or control system.
Protection against reverse engineering is achieved by storing the program code in the target system in encrypted format as this prevents a disassembler from statically analyzing it. There are also mechanisms for detecting an “attack” which immediately cause the license to be locked and hence stop more software from being decoded.
The manufacturer digitally signs the program code to prevent it from being manipulated or modified without permission. The protection mechanism on the target system only allows correctly signed program components to be loaded and executed. Or put another way: a manipulated program won’t run.
Wibu-Systems and 3S-Smart Software Solutions have been working together since 2010 to integrate CodeMeter technology into the CoDeSys PLC programming and runtime system. What is the situation at the moment?
3S is rolling out version 3.5 of CoDeSys at SPS/IPC/Drives this year. CodeMeter technology – known here as CoDeSys Security Key – is fully integrated into this version. You only need to tick the relevant box to generate protected code from within the development environment. The code can then be executed when a CoDeSys Security Key is connected to the target system.
The new security concept helps to stop valuable know-how from being copied or transferred to other control systems. Other security functions such as “signed application” and “encrypted communication” between the programming PC and PLC will satisfy the demand for integrity protection. The integrated user management, which protects access to projects or source code, effectively prevents third party manipulation of control systems.
Wasn‘t this possible before?
Up till now the CoDeSys development system only contained password protection. PLC programs in the target systems weren’t protected. It wasn’t possible to use CmDongles as they need a runtime software which wasn’t available. New in version 3.5 of CoDeSys: by using the right dongle, program code can now be protected on any platform.
The deep level of integration in CoDeSys opens up new possibilities. Individual software components no longer have to be licensed immediately. This functionality, known as Feature-on-Demand, means functions present in the software can be “enabled” as and when required. They can be enabled via the Internet or offline via a license file after the software has been distributed. The machine manufacturer can thus use Feature-on-Demand to individually sell the features of his machines, both before and after shipment. For example he can offer a cheap starter model to compete with low cost foreign suppliers and a high-end one with lots of extras.
Control system suppliers can sell a fixed number of licenses for target systems on a pay-per-use basis. The machine or plant engineer can then activate the licenses in his control systems as required. The manufacturer can also use pay-per-use mechanisms to lease his machines and bill customers according to usage. This will ensure he gets paid!
And last but not least, this method can also be used by the machine or plant engineer to protect his source code. He can choose which parts can be seen and modified by his customers (the end user), and which parts appear as a black box i.e. they can be used but not modified.
How are all these functions or features managed?
License management is integrated into the sales process i.e. licenses are given “part numbers” just like the mechanical components of a machine. The number appears in the parts lists of the ERP system. The ERP system, for example SAP, is connected to the License Central via a web interface so that licenses can be generated automatically. They are transferred to the machine’s control system either online or offline using a file.
Are the security functions described above always available in CoDeSys?
Yes they will be but you will need a CoDeSys Security Key to use them. The key is available from 3S. Similar types of Security Keys are also available for the target platforms. All CodeMeter hardware variants can be used as Security Keys, for example the USB CmStick/M or CmCards in MicroSD, SD or CF card format. They only cost a little more than normal industrial memory cards.
Beside the collaboration with 3S, are there similar cooperations with, for example, control system manufacturers?
3S has done pioneering work with the deep integration of CodeMeter in CoDeSys. It is the first supplier in the PLC industry to offer such a solution. The Research Center for Information Technology (FZI) in Karlsruhe is currently developing a protection profile and is evaluating security functions. A protection profile is a sort of criteria catalogue which can be used to objectively test which of our products offer protection from which attacks. The project is partly financed by the BMWi (German Federal Ministry of Economics and Technology).
We are also involved in talks with other suppliers in Europe, USA and Asia. I would like to mention here one collaboration in particular: Wibu-Systems is a Validated Partner of Wind River, a 100% subsidiary of Intel. VxWorks has made Wind River one of the leading global suppliers of real time operating systems. Our CodeMeter Compact Runtime has been integrated into VxWorks which means RTP (Real Time Process) and DKM (Downloadable Kernel Module) components can be securely downloaded and program code is protected. Full integration into the Eclipse-based VxWorks Workbench development environment is under way.
Security is also a basic prerequisite for meeting safety requirements. What does this mean?
Safety standards and measures guarantee that machines and plants do not present a hazard to humans, the environment or property. This can only be guaranteed though if the manipulation of safety-critical systems is made impossible. The appropriate security solutions protect the safety solutions against attacks from outside, for example against unauthorized execution of program code or unauthorized modifications. Safety can only be achieved using security.
Dieter Hess CEO of 3S-Smart Software Solutions GmbH
“CoDeSys Security makes it easy for automation engineers to effectively protect their applications. It is based on tried and tested CodeMeter technology. Because this technology is fully integrated into CoDeSys it only takes a few mouse clicks to activate the protection. There is no need to familiarize oneself with the technology. The concept doesn’t exist in any other PLC programming system at the moment.”