KB Controls is reader-supported. When you buy through links on our site, we may earn an affiliate commission. Read more in our disclaimer

Security by Default Features in TIA Portal v17

A first look at the security by default features of TIA Portal version 17

In TIA Portal version 17, Siemens has extended their effort to provide security by default to new automation projects. In this article, we take a deep dive into the new security features of TIA Portal version 17 and their implications.

PLC Security Settings Wizard

Unlike previous versions of TIA Portal, TIA Portal version 17 emphasizes the security configuration of projects as soon as a PLC is created in the project. To demonstrate the new workflow, I have created a new TIA Portal project and added an S7–1500 PLC with firmware version 2.9.

As soon as I add the PLC to the project, the PLC Security Settings wizard opens up.

PLC Security Settings Wizard

Your first instinct may be to cancel this wizard, but if you do this, you will be greeted by compile errors when you try to compile the hardware in the project. To compile the project, you must go through the steps in the wizard and make decisions about what security features to enable and disable in the project.

Compile errors after cancelling the PLC Security Settings wizard

To relaunch the wizard, click on the “Start security wizard” button in the Protection tab of the PLC’s properties.

Start security wizard button

In the rest of this article, we will go through the steps in the security wizard and look at the effect that they have on the project.

Protection of Confidential PLC Data

Protection of Confidential PLC Data

In the first step, we define the password for a secure area on the memory card where confidential data is stored. The confidential data that is stored in this area of the memory card includes private keys of certificates for communicating with other devices, web servers, and OPC clients.

The recommendation here is to choose a non-trivial password because the stronger the password, the greater the protection of your data.

Press the “Setup” button to define a password for the confidential PLC configuration data. With the password set, you can guarantee the confidentiality of the PLC data.

Setup password for confidential PLC data

Mode for PG/PC and HMI Communication

Secure communication configuration

The second step of the PLC Security Settings wizard deals with secure communication between the PLC and other devices.

In this step, we specify if we want to use the Internet-standard TLS (Transport Layer Security) for communications between the PLC and other devices. This secure communication relies on the use of certificates to authenticate the PLC to other devices. The creation and management of these certificates are handled in the background by TIA Portal.

By enabling secure communication, you guarantee that the data you transmit is being sent to the correct device and arrives at the target device unmodified.

Setup secure communication

Access Levels

Access Level Configuration

Finally, you can configure the Access Protection. Access Protection defines passwords for different levels of access to the PLC. Defining Access Protection helps to protect against accidental or malicious modification of the PLC data.

The best practice here is to define different passwords for each level of access in the PLC, starting with the complete protection access level.

Define password for access protection

Summary

PLC Security Settings Summary

The final screen of the PLC Security Settings is a summary of the settings configured for the PLC.

Apply these settings by clicking Finish.

Demo

In the Protection tab of the PLC Properties, you can see that TIA Portal has configured the security settings based on our actions in the PLC Security Settings wizard.

The most interesting thing in this Protection tab is the certificate that TIA Portal has created for us. This certificate is used in secure communication with the PLC.

TIA Portal Certificate

When you try to download the project to the PLC for the first time, you are prompted to confirm that this is a trusted device.

If you want, you can inspect the self-signed certificate from the PLC to confirm that this is the correct target device.

Inspect PLC’s certificate

When you are happy that the self-signed certificate from the PLC is valid, then click “Consider as trusted and make connection” to continue with the download.

In the Load Preview window, you are prompted to enter the password for the confidential PLC configuration data. Enter the password that you created in the PLC Security Settings wizard.

If this password doesn’t match what was configured in the PLC Security Settings wizard, then the PLC will not transition to RUN mode.

Enter the password for confidential PLC configuration data

When you have entered the password, click Load to load the project to the PLC.

During this download, TIA Portal has generated another self-signed certificate. This new self-signed certificate is downloaded to the PLC and stored in the confidential configuration data area. While this certificate exists in the PLC, you will not be prompted for the password again.

Conclusion

TIA Portal version 17 extends TIA Portal’s security by default policy by forcing users to make decisions about security as soon as they add a new PLC to a TIA Portal project.

The security settings that you configure in this wizard help to ensure that the PLC data is protected and that any data communicated between the PLC and other devices is sent securely and arrives at the correct destination unmodified. This is accomplished using passwords, certificates, and encryption keys.

Although security is a complex issue, I think the PLC Security Settings wizard in TIA Portal version 17 makes securing your projects simple and straightforward. Let's hope that automation engineers choose to implement these security features so that we hear of less industrial hacking from the news each month.

PLC Programming Bootcamp

Learn PLC programming and kick start your career as a PLC programmer by following our free 5 day bootcamp.

Learn More

Related Content