CSPP – CodeMeter® Source Protection Provider
Providing Enhancements to Source Protection
The current marketplace demands a new approach to Industrial Control Systems (ICS), one that takes into account the global scalability of the business, the sustainability values and the need for agility in production. Automation is the underlying key to success in all industries, from automotive to energy, from food processing to packaging. In this complex ecosystem, the Original Equipment Manufacturers (OEM) that can incorporate breadth and depth security perspectives in their product portfolio have a serious advantage. Aside from the input-logic-output aspect which is more typical of safety, security needs to balance human and technological factors, as well as provide seamless solutions that can easily and promptly be integrated in the customer’s infrastructure.
Best practices for a security-oriented architecture include a clear understanding of access authentication, data confidentiality, IP protection, product and network hardening, tamper prevention and detection, not to mention partnering and supply chain. The matter is incredibly broad and possessing skills in all these areas of expertise is hard to tackle.
Rockwell Automation has authorized Wibu-Systems to develop a solution for enhanced source key management that supports Rockwell’s Studio5000 logix programming environment. The goal of source key enabled IP protection is to limit the access to program routines, equipment phase state routines and Add-On Instructions (AOI) to prevent their uncontrolled proliferation and undesired reconfiguration.
The resulting technology consists of two dedicated elements:
- the CSPP Enterprise Edition Client for each authorized user of Studio5000
- and the CSPP Enterprise Edition Manager.
Together they:
Enable the use of Source Protection enhanced functionality
- prevent copying/printing of code, also with keys in place
- force Code encryption during export, also with keys in plac
- prevent Security reconfiguration
The main advantage introduced by Wibu-Systems is enabling enhanced Source Key sharing with service employees or customers for implementing changes.
Flexibly manage Source Keys for a distributed workforce
- with the implementation of limited validity time periods
- with the implementation of limited usage counts
- with the support of both web-connected and offline stand-alone or firewalled systems.
Simplify secure key group generation and distribution for IP owners
- multiple development teams
- multiple service teams / organizations
- different machine types
The main advantage introduced by Wibu-Systems is providing high granularity for selective enabling of access to critical code when needed – e.g. startup/breakdown diagnostics, enhancements, corrections, etc.
The core element of the solution is CodeMeter, a technology designed to deliver embedded software integrity protection against tampering, counterfeiting and duplication. A hardware unit, namely CmDongle, embeds a smart card chip which in turn offers two-factor authentication capabilities and top scrambling encryption features of ECC, RSA, AES and 3DES combined. It is therefore the ideal safe repository for license certificates of both the CSPP application and the machine vendor’s specific digital keys. CodeMeter also allows the setup of special users’ rights, counters and an expiration date respectively for volume and time-limited consultation of resources. This latter feature is especially relevant ensuring that field engineers have exclusive access to the documentation and source code parts related to their specific intervention.
The CodeMeter solution also supports lifecycle license management. The CSPP Enterprise Edition Manager acts in fact as the central gateway to all administrative functions, like the generation and maintenance of digital keys and users’ groups.
Two further standard components of the system are License Central and Web Depot. These are the web-based services where the key storage and license roll out are managed. These services can either be hosted by the customer’s own IT department, or be outsourced, ultimately to Wibu-Systems itself.
The graphic below shows the interaction between all the relevant elements.
The convergence of the two modules substantially improves industrial security standards in a network environment by guaranteeing the complete protection of source code and access control policy enforcement. The IP of the OEM is safeguarded while the customer’s usability remains slim.