online access and function restrictionThe S7 CPU has four access levels, in order to limit access to specific functions. Setting up theaccess level and password will limit the functions and memory ranges that are accessiblewithout a password. The individual access levels and the associated passwords are defined inthe object properties of the CPU. Legitimating oneself with a configured password grants accessaccording to the associated protection level.Table 2-1Access levels Restriction of accessFull access (no protection) Hardware configuration and blocks can be read andchanged by anyone.Read access for F blocks (only with F-CPUs) F blocks in the safety program cannot be modifiedwithout legitimation with the password associated withthis access level or a higher access level.Read access This access level grants only write-protected access tothe hardware configuration and the blocks unless thepassword is entered. Without the password, thefollowing functions can be utilized:• Read the hardware configuration and blocks• Download the hardware configuration and blocksto the programming device• Read diagnostic data• Display online/offline comparison results• Set the time• Change operating mode (RUN/STOP)The following functions cannot be run without enteringthe password:• Download the blocks and hardware configurationto the CPU• Write-based test functions• Firmware update (online)HMI access This access level only allows the following when thepassword has not been entered:• HMI access• Read diagnostic dataExample: With the "HMI access" access level, you cango online and display diagnostic icons for the states ofobjects.Tags can be read and written via an HMI device.The following functions cannot be run without enteringthe password:• Download the blocks and hardware configurationto/from the CPU• Display online/offline comparison results• Change operating mode (RUN/STOP)• Write-based test functions• Firmware update (online)2 Security mechanisms on the S7 CPUSecurityArticle ID: 90885010, V3.0, 11/2022 19© Siemens AG 2022 All rights reservedAccess levels Restriction of accessNo access (complete protection) only identification data can be read, e.g. via"Accessible subscribers".With complete protection, the CPU forbids:• Read and write access to the hardwareconfiguration and blocks• HMI access• Modification in the server function for PUT/GETcommunicationOperational performance with protection level activatedA password-protected CPU behaves as follows when in operation:• The CPU protection takes effect once the settings are downloaded to the CPU and a newconnection has been established.• Before an online function is executed, the necessary permission is checked and, ifpassword-protected, the user is prompted to enter a password.• The password-protected functions can only be executed from a programming device or PCat any given time. Another programming device or PC cannot sign in with a password.• Access permissions to the protected data apply while the online connection is active, or untilthe access protection is removed manually via "online > Delete access permissions".Going online with a password-protected CPUGoing online with a password-protected CPU requires read access as of STEP 7 V14.Therefore, you must enter the password for read access when you go online or, if no passwordwas configured for this, you must enter the password for full access.If you have a fully protected CPU and you only have a password for HMI access on hand,cancel the password prompt after the read access password prompt. You will then be promptedto enter the password for HMI access. The permission for HMI access is not sufficient for theonline/offline comparison, however. For this you will need read access permissions.NoteConfiguring an access level is not a replacement for know-how protection.It prevents improper modifications to the CPU by restricting download permissions. However,the blocks on the SIMATIC Memory Card are neither write-protected nor read-protected.Know-how protection should be used to safeguard the program code.2 Security mechanisms on the S7 CPUSecurityArticle ID: 90885010, V3.0, 11/2022 20© Siemens AG 2022 All rights reserved2.3 Block protectionVarious block protection mechanisms are available in STEP 7 (TIA Portal) to protect the knowhow in the blocks' programs from unauthorized persons.2.3.1 Know-how protectionKnow-how protection lets you guard blocks of type OB, FB, FC and global data blocks againstunauthorized access by using a password.Take the following features into account with know-how protection:• You cannot manually protect instance data blocks; they are dependent on the know-howprotection of the associated FB. This means that when you generate an instance data blockfor a know-how-protected FB, the instance data block likewise receives know-howprotection. This happens regardless of whether you explicitly create the instance data blockor whether it was generated by a block call.• With global data blocks, you cannot edit the start values and comments, but this is possiblewith instance data blocks.• ARRAY data blocks cannot be provided with know-how protection.• Storage space requirements may be higher with know-how-protected blocks.• During a comparison between the offline and online version of know-how-protected blocks,only the non-protected data are compared.• Further access to the block is not possible without a password.• When you add a know-how-protected block to a library, the resulting master copy alsoreceived know-how protection.RestrictionsWith a know-how-protected block, only the following data are readable without a password:• Call parameters: Input, Output, InOut, Return, Static• Block title• Block comment• Block properties• Tags of global data blocks, minus information about the location of useThe following actions can be carried out with a know-how-protected block:• Copying and deleting• Calling in a program• Offline/online comparison• DownloadingReadmeReferencesYou can find more information at the following link: \7\ in chapter 4.3, specifically regarding:• Setting up know-how protection for blocks• Opening blocks protected by know-how protection• Removing know-how protection from blocks2 Security mechanisms on the S7 CPUSecurityArticle ID: 90885010, V3.0, 11/2022 21© Siemens AG 2022 All rights reserved2.3.2 Copy protectionCopy protection links a program or blocks with a specific SIMATIC Memory Card or CPU. Bylinking the serial number of a SIMATIC Memory Card or CPU, use of the program or block inquestion is only possible in connection with this specific SIMATIC Memory Card or CPU.If a block with copy protection is downloaded to a device whose serial number does not matchthe defined serial number, the download process will be rejected. However, this does not meanthat blocks without copy protection cannot be downloaded.Copy protection is set up and the associated serial number is entered via the block properties.Applications• If the program is bound to the serial number of the CPU, use of TIA Portal to adjust theserial number is mandatory upon hardware replacement in the event of a fault.• If the serial number is linked to the memory card, the hardware can be replaced and thememory card taken from the old CPU. Due to the fact that the program is stored on thememory card, it is still possible to ensure that the program only runs on one CPU.NoteWhen setting up copy protection for a block, it is important that this block also receive blockprotection. Without know-how protection, anyone could reset the copy protection.Copy protection must be set up prior to block protection. The copy protection settings arewrite-protected when the block has know-how protection.There are two options for adding the serial number:• Manual entry of serial number:The serial number must be known during the engineering phase.• Automatic assignment during download:The serial number does not need to be known for engineering.During download to a new CPU, the password defined for copy protection is requested.2 Security mechanisms on the S7 CPUSecurityArticle ID: 90885010, V3.0, 11/2022 22© Siemens AG 2022 All rights reserved2.3.3 Write protectionSet up write protection for blocks of type OB, FB or FC to prevent inadvertent modifications.Blocks with write protection can only be opened in read-only mode. However, you can still editthe block properties. There are no restrictions on diagnostics.NoteNote that write protection is not the same as know-how protection. When a block is writeprotected, you cannot set up know-how protection on top of this. Remove the block's writeprotection if you want to give it know-how protection.2 Security mechanisms on the S7 CPUSecurityArticle ID: 90885010, V3.0, 11/2022 23© Siemens AG 2022 All rights reserved2.4 CPU integrity protectionIntegrity refers to the protection of data against unauthorized modification or deletion.In the context of CPU security, this entails the following:• Protection of confidential CPU configuration data• Protection of the CPU firmware signature2.4.1 Protection of confidential PLC configuration dataTrouble-free functioning of certificate-based communication mechanisms for securecommunication (see chapter 2.1) requires that the private keys employed by these certificatesare protected as much as possible.As of TIA Portal V17, you can set up a user defined password to protect these keys and othersensitive data.Password for protecting confidential CPU configuration dataTo protect the confidential configuration data of the CPU, for example certificates and privatekeys, enter the password in TIA Portal.The following Figure is a simplified representation of how confidential CPU configuration data(for example a standard S7-1500 CPU) can be protected.Figure 2-5 Secure memory concept12The project and key information is stored in different memory ranges during the initial download:1. The project is stored in the load memory (SIMATIC Memory Card).2. The key information is stored in a memory range in the CPU. This key is used to read theconfidential configuration data on the SIMATIC Memory Card.For target systems such as S7-1200 CPUs and software controllers with other storageconcepts, the implementation is adapted to fit the relevant storage concept. The principleremains the same, however.2 Security mechanisms on the S7 CPUSecurityArticle ID: 90885010, V3.0, 11/2022 24© Siemens AG 2022 All rights reservedTwo memory ranges for additional securityThe project and the keys belong together like two interlocking puzzle pieces. The project islinked with the downloaded key information; the downloaded key information is in turn linkedwith the password that was assigned during configuration. The project and key information mustmatch, otherwise the CPU will not start.The principle of two separate memory ranges also applies for S7-1200 CPUs and S7-1500 CPUversions without a SIMATIC Memory Card, for example software controllers, PLCSIM orPLCSIM Advanced. In the versions without a SIMATIC Memory Card, two separate partitionsare used so that the two information elements can be managed independently of one another.Figure 2-6 Secure memory rangesReadmeReferencesFurther information on setting up protection of confidential PLC configuration data, as well asthings to note when replacing the CPU, can be found at the following application example link: