dl-breadcrumbs__homedl-breadcrumb-item__separatorConfiguration and programmingdl-breadcrumb-item__separatorProgramming with CODESYSdl-breadcrumb-item__separator...dl-breadcrumb-item__separatorCODESYS Development Systemdl-breadcrumb-item__separatorDownloading an Application to the PLCdl-breadcrumb-item__separatorEncrypting Communication, Changing Security Settings
dl-pagination__prev-inactivedl-pagination__prev-activedl-pagination__next-inactivedl-pagination__next-active
Encrypting Communication, Changing Security Settingsdl-permalink__symbolPermalink
NOTICE

NOTICE
NOTICE
NOTICE

NOTICE

NOTICE

Recommendations for data protection

In order to minimize the risk of data security violations, we recommend the following organizational and technical actions for the system where your applications are running. Whenever possible, avoid exposing the PLC and control networks to open networks and the Internet. Use additional data link layers for protection, such as a VPN for remote access. Install firewall mechanisms. Restrict access to authorized persons. Use high-strength passwords. Change any default passwords regularly before and after commissioning.

Use the security features supported by CODESYS and the respective controller, such as encryption of communication with the controller and intentionally restricted user access.

Communication with the device can be protected by means of encryption and user management on the device. You can change the current security preset on the “Communication Settings” tab of the device editor.

Establishing a connection to the controller, logging in, installing a trusted certificate for encrypted communication

Requirement: Encrypted communication with the controller and user management are enforced on the controller. However, an individual password does not exist yet. A certificate has not been installed on your computer and the connection to the controller has not been configured yet.

  1. In the device tree, double-click the controller.

    The device editor opens.

  2. Click the “Communication Settings” tab.

  3. Click “Scan Network”.

  4. Select a controller.

    A dialog opens, informing you that the certificate of the device does not have a trusted signature for communication. You are prompted whether or not to install this certificate as trusted in the local "Controller Certificates" store on your computer, or accept a session only for this one.

    NOTICE

    NOTICE
    NOTICE
    NOTICE

    NOTICE

    NOTICE

    A controller certificate installed in this way is valid for only 30 days. This gives you time for the following long-term solutions:

    • Creation of an additional self-signed certificate with a longer term (for example, 365 days). You can do this on the security screen if you have installed the CODESYS Security Agent, even if a certificate already exists. Using the PLC shell of the device editor is not a convenient workaround.

      See below: "Configuring encrypted communication with a controller certificate with a more long-term validity period"

    • Importing a CA-signed certificate. This is currently only possible via the PLC shell commands of the runtime. Therefore, we recommend to use self-signed certificates first.

  5. If you want to install the certificate, then select the first option and click “OK” to confirm the dialog prompt.

    The certificate is listed as trusted. After accepting the self-signed certificate for the first time, you can establish an encrypted connection with the controller again and again without further prompts.

    A dialog prompt is displayed with the notice that a user management is required for the device, but it is not enabled yet. You are prompted to enable the user management if you want. The notice is displayed that in this case you have to create a new administrator account and then log in as this user.

  6. Click “Yes” to close the dialog prompt.

    The “Add Device User” dialog opens to create an initial device administrator.

  7. Create a device user in order to edit the user management as this user. In this case, only the “Administrator” group is available. Specify a “Name” and “Password” for the user. The password strength is displayed. Note also the set options regarding a password change. By default, the password can be changed by the user at any time. Click “OK” to confirm.

    The “Device User Logon” dialog opens.

  8. Enter the credentials for the device administrator which you defined in the previous step.

    You are logged in on the controller. On the “Users and Groups” tab, you can use the _cds_icon_update_framed button to switch to synchronized mode. The device user management is displayed there and you can edit it.

    After you click “OK” to confirm, the device user management is displayed in the editor view. It contains the user of the “Administrator” group who you just defined. The name of this user is also displayed in the taskbar of the window as “Device User”.

  9. All saved controller certificates (from Step 5) are stored in the local Windows Certificate Store on your computer. You can access this memory by means of the “Execute”, ‎certmgr.msc‎ command.

    All registered certificates for encrypted communication with controllers are listed here in “Controller Certificates”.

Configuring a controller certificate with a more long-term validity period for encrypted communication by means of CODESYS Security Agent (recommended)

Requirement: The CODESYS Security Agent add-on product is installed. You want to replace the temporary certificate (as described above) acquired the first time you connected to the protected controller with a certificate with a longer validity period.

In this case, the “Security Screen” view provides an additional tab: “Devices”. This allows for the simple configuration of certificates for the encrypted communication with controllers. For operation, see the help for CODESYS Security Agent: "Encrypted Communication with Devices via Controller Certificates".

Installing a controller certificate for encrypted communication via the PLC shell of the device editor

Choose this less convenient method when the CODESYS Security Agent is unavailable to you. In this case, you can set up a certificate with a more long-term validity period for communication encryption on the “PLC Shell” tab of the device editor.

Requirement: You are connected to the controller.

  1. At first, you check if a qualified certificate is already on the controller. If no certificate is available, then you create a new certificate.

    Open the device editor by double-clicking the controller in the device tree, and select the “PLC Shell” tab.

    The tab appears with a blank display window. Below that is a command line.

  2. Type the following command in the command line: ‎cert-getapplist‎.

    All used certificates are listed. The list includes information about the runtime component and whether or not the certificate is available.

  3. If a certificate still does not exist for the component ‎CmpSecureChannel‎, then type the following command in the input line:

    ‎cert-genselfsigned <number of the component in the applist>‎

  4. Click the “Log” tab and then the refresh button (_cds_icon_update).

    The display shows whether or not the certificate was generated successfully.

  5. Change back again to the “PLC Shell” tab and type the command ‎cert-getapplist‎.

    The new certificate for the component ‎CmpSecureChannel‎ is displayed.

  6. In the next two steps, activate encrypted communication in the security screen of CODESYS.

  7. Open the “Security Screen” by double-clicking _cds_icon_cyber_screen_grey in the status bar.

  8. On the “User” tab, select the “Enforce encrypted communication” option in the “Security Level” group.

    The communication to all controllers is encrypted. If there is not a certificate on a controller, then you cannot log in to it.

    The connecting line between the development system, the gateway, and the controller is displayed in yellow on the “Communication Settings” tab of the device editor of the controller.

  9. As an alternative to the “Enforce encrypted communication” option which applies to all controllers, you can also define encrypted communication for specific controllers only. To do this, select the “Communication Settings” tab in the editor of the respective controller. Then click “Encrypted Communication” in the “Device” list box.

    The communication with this controller is encrypted. If there is not a certificate on the controller, then you cannot log in to it.

    The connecting line between the development system, the gateway, and the controller is displayed in yellow on the “Communication Settings” tab of the device editor of the controller.

  10. When you log in to the controller for the first time, a dialog opens with information that the certificate of the controller is not signed by a trustworthy authority. In addition, the dialog displays information about the certificate and prompts for you to install it as a trustworthy certificate in the local store in the “Controller Certificates” folder.

    When you confirm the dialog, the certificate is installed in the local store and you are logged in to the controller.

    In the future, communication with the controller will be encrypted automatically with this control certificate.

  11. To increase security for key exchange for controllers < V3.5 13.0, you can generate Diffie-Hellman parameters on the controller. To do this, type the command ‎cert-gendhparams‎ in the input line.

    This is no longer required for controllers >= V3.5.13.0.

    NOTICE

    NOTICE
    NOTICE
    NOTICE

    NOTICE

    NOTICE

    Caution: Generating the Diffie-Hellman parameters can last for several minutes or even several hours. However, this process must be executed only one time for each controller. The Diffie-Hellman parameters increase security for key exchange and for future attacks against encrypted data recording.

Changing the communication policy (encryption, user management)

Requirement: The connection to the device is established.

  1. In the device tree, double-click the controller.

    The device editor opens.

  2. Click the “Communication Settings” tab.

  3. Open the “Device” menu in the header of the editor. Click “Change Communication Policy”.

    The “Change Communication Policy” dialog opens.

  4. In the upper part of the dialog, you can toggle between the “Optional encryption”, “Enforced encryption”, and “No encryption” settings.

  5. In the lower part of the dialog, you can toggle between the “Optional user management” and “Enforced user management” settings.

Enabling and disabling enforced encrypted communication

Requirement: The device supports encrypted communication.

  1. In the device tree, double-click the controller.

    The device editor opens.

  2. Click the “Communication Settings” tab.

  3. Open the “Device” menu in the header of the editor. Click “Encrypted Communication”. The status toggles between enabled and disabled.

    If the “Encrypted communication” option is selected, then the connection line between the development system, the gateway, and the device is highlighted in the editor in bold and in color in the graphical representation.