Secure communicationCommunication protection concerns the reliability and trust of data exchanged betweencommunication partners. Data tampering by unauthorized users must be prevented.Regardless of context, secure communication is based on the concept of public keyinfrastructure (PKI).2.1.1 OverviewPublic key infrastructure (PKI)The attribute "secure" is used to describe communication mechanisms that rely on public keyinfrastructure (PKI). Public key infrastructure (PKI) refers to a system that can issue, distributeand verify digital certificates. Issued digital certificates are used in within the PKI to securecomputer-based communication by signing and encrypting messages on the network.Components that you have configured in STEP 7 (TIA Portal) for secure communication use anasymmetric key method with a public key and a private key. TLS (Transport Layer Security) isemployed as the encryption protocol. TLS is the successor to the SSL (Secure Sockets Layer)protocol.The essential principle of secure communication includes the following components:• An asymmetric encryption protocolThis protocol enables the following:– Encryption or decryption of messages using public or private keys– Verification of signatures on messages and certificatesThe messages/certificates are signed by the sender/certificate owner with that entity's privatekey. The recipient/verifier checks the signature with the public key of the sender/certificateowner.• Transport and storage of public keys by means of X.509 certificates:– X.509 certificates are digitally signed data that make it possible to verify the veracity ofpublic keys with respect to the associated identity.– X.509 certificates can contain more precise information about or restrictions on the useof public keys, for example, the date from which or until which a public key in acertificate is valid.– X.509 certificates contain information about the certificate issuer in secure form.TIA Portal V17 lets the user use custom, user-specific certificates for communication partners,giving the system additional security. If one device is compromised, the other devices remainsecure because they use other certificates. The certificates can be imported or, in TIA Portal,generated with the certificate manager. More information on the use of certificates in TIA Portalcan be found at the following link: \3\ in chapter 4.3.2 Security mechanisms on the S7 CPUSecurityArticle ID: 90885010, V3.0, 11/2022 12© Siemens AG 2022 All rights reservedObjectives for secure communicationSecure communication is employed to achieve the following goals:– Confidentiality, i.e. data are secret or non-readable to unauthorized eavesdroppers.– Integrity, i.e. the message received by the recipient is the same unmodified messagethat was sent by the sender. The message was not modified along its transport path.– Endpoint authentication, i.e. the communication partner as endpoint is exactly who itclaims to be and is the intended destination. The identity of the communication partneris verified.If these objectives were in the past primarily a concern for the IT world and networkedcomputers, today machines and controllers with valuable data in the industrial environment are,because they are networked, subject to the very same dangers. They therefore pose stringentrequirements for secure data exchange.It is common practice to protect the automation cell with the cell security concept by using afirewall or a VPN connection, e.g. with the security module. However, there is increasing needto transmit data to external computers in encrypted form via an intranet or public networks.Secure communication with STEP 7As of V14, STEP 7 provides the PKI required for the configuration and operation of securecommunication. This document describes in greater detail the following communicationmechanisms:• Secure PG/HMI communication• Secure Open User Communication (OUC)• Secure OPC UA communicationAll of the methods listed above use the TLS (Transport Layer Security) protocol to safeguard thedata in communication.2 Security mechanisms on the S7 CPUSecurityArticle ID: 90885010, V3.0, 11/2022 13© Siemens AG 2022 All rights reserved2.1.2 Secure PG/HMI communicationOverviewAs of version V17, central components of TIA Portal, STEP 7 and WinCC work together with thelatest controllers and HMI devices to implement innovative and standardized (secure) PG/PCcommunication and HMI communication, referred to as PG [programming device] / HMIcommunication for short.ComponentsWe refer in particular to the following CPU families:• S7-1500 controller family with firmware version V2.9 or later• S7-1200 controller family with firmware version V4.5 or later• Software controller with firmware version V21.9 or later• SIMATIC Drive Controller with firmware version V2.9 or later• PLCSim and PLCSim Advanced version V4.0In addition, HMI components have been updated to provide support for secure PG/HMIcommunication:• Panels or PCs configured with WinCC Basic, Comfort and Advanced• PCs with WinCC RT Professional• WinCC Unified PCs and Comfort PanelsSINAMICS RT SW version V6.1 onward and STARTDRIVE version V17 onward have also beenupdated.Properties of PG/HMI communicationThe main feature of PG/HMI communication is its simplicity: Establishing an online connectionfrom a programming device (with TIA Portal installed) to a CPU (for example to download aprogram) requires minimal effort. Here, the online connection also meets criteria such asconfidentiality and integrity on the basis of an established SIMATIC communication standard.In the process of integrating machines and plants into an open IT environment, however, it isalso necessary to set up switches for communication between the programming device / HMIdevice and the CPU. Communication must not only be secure with respect to integrity andconfidentiality of sensitive data, rather, communication security also needs to measure up towidely accepted security standards and thereby meet the requirements for the future.As of TIA Portal version V17, PG/HMI communication has been upgraded: The TLS protocol(Transport Layer Security) is available to secure PG/HMI communication by means ofstandardized security mechanisms.ProcessSecure PG/HMI communication relies on the programming device and HMI panel verifying theauthenticity of the CPU by means of the communication certificate (sent by the CPU when theconnection is established) and recognizing the CPU as "trustworthy". Secure PG/HMIcommunication is only possible when the PG/HMI panel trust the CPU. When the connection isbeing established, the CPU transmits the communication certificate to the communicationpartner (programming device or HMI panel). To ensure that communication between the CPUand a programming device / HMI panel is secure, the CPU must possess a certificate. However,this certificate is only issued once the project is downloaded to the CPU. Secure communicationbetween the programming device / HMI panel and CPU is described below.Initial connection setup to the CPU – Preparation phaseThe Figure below explains the initial connection setup sequence from a programming device orHMI panel to the CPU. This is known as the "preparation phase".2 Security mechanisms on the S7 CPUSecurityArticle ID: 90885010, V3.0, 11/2022 14© Siemens AG 2022 All rights reservedFigure 2-2 TLS connection setup1. Connection request CPUGeneration of a selfsigned certificatesent as responseto connectionrequestManual confirmation(self-signed certificatetrustworthy) because noautomaticauthenticity checkis possibleProject dataImplicitly configured CPUcertificate for PG/PC andHMI communication isloadedPLC is not configuredEven the initial connection setup for downloading to the CPU is secured with the TLS protocol inthe model of secure PG/HMI communication.However, for this connection setup step, the CPU uses its manufacturer device certificate (ifpresent) or a self-signed certificate. Use of the CPU is restricted in this phase. In this phase, theCPU waits for the provision of password-based key information. In simple terms: It is waiting forthe password for sensitive PLC configuration data. See chapter 2.4.1. This phase is referred tobelow as the "preparation phase". The CPU indicates that it is in the preparation phase througha corresponding message in the diagnostic buffer.Downloading a project to the CPU provides the CPU with the project data:– Hardware configuration, including configured certificates for secure communication(OPC UA, HTTPS, secure OUC, secure PG/HMI communication)– User programExiting the preparation phaseThe password for confidential PLC configuration data and/or the key information generated fromthe password are not saved in the project by TIA Portal.Therefore, the password will be requested in a series of dialogs during the initial download (orwhen a new project is downloaded), then transferred to the CPU. only through this step is the2 Security mechanisms on the S7 CPUSecurityArticle ID: 90885010, V3.0, 11/2022 15© Siemens AG 2022 All rights reservedCPU able to use the protected PLC configuration data. This concludes the preparation phaseand the CPU can go into RUN.NoteIf you do not protect confidential PLC configuration data with a password, the password willnot need to be entered during the initial download. While this does not affect the PG/HMIcommunication sequence, you must bear in mind that confidential PLC configuration data(e.g. private keys) have virtually no protection against unauthorized access. See chapter2.4.1.PG/HMI communication startupWhen the CPU is loaded and it has received the CPU certificate for secure PG/HMIcommunication, the programming device will reconnect – this time on the basis of thedownloaded CPU certificate.2.1.3 Secure Open User Communication (OUC)TCP/IP-based Open User Communication (OUC) has become the standard for communicationwith SIMATIC S7 CPUs. In the S7 CPU, OUC is implemented on the basis of instructions (e.g.TCON, TSEND, TRCV und TDISCON). To establish secure TCP communication with theS7 CPU, the data block with system data type TCON_IP_V4_SEC must be used.S7-1500 CPUs with firmware version V2 or later support secure communication with addressingvia a domain name server (DNS).To set up secure TCP communication with a domain name, you must create your own datablock with the system data type TCON_QDN_SEC, assign parameters and call the system datatype right at the instruction. The TCON instruction supports the TCON_QDN_SEC andTCON_IP_V4_SEC system data type. As of firmware version V2.5, the TSEND_C and TRCV_Cinstructions also support the system data types TCON_QDN_SEC and TCON_IP_V4_SEC.Additional information on the structure of secure OUC and on the S7 CPU can be found at thefollowing link: \4\ in chapter 4.3.2.1.4 Secure OPC UA communicationOPC UA allows data exchange between different systems, both within the process andproduction level as well as with systems on the control and enterprise levels.This option also contains security risks. For this reason, OPC UA offers a range of securitymechanisms:• Identify verification of OPC UA server and OPC UA clients,• User identity verification, and• Signed/encrypted data exchange between OPC UA server and OPC UA clients.The security settings should only be circumvented when there is good reason to do so:• During commissioning, or• With island projects without an Ethernet connection to the outside world.A secure connection between the OPC UA server and an OPC UA client is only establishedwhen the server can identify itself to the client. This is the purpose of the server certificate. link\5\ in chapter 4.3 provides more information on working with the OPC UA server/client certificatein TIA Portal.Automated certificate management with Global Discovery Server (GDS)As of firmware V2.9, the OPC UA server of the S7-1500 CPU supports certificate managementservices which can be used by a Global Discovery Server (GDS), for example.Using GDS push management functions, OPC UA certificates, trusted lists and CertificateRevocation Lists (CRLs) can be updated for the OPC UA server of the S7-1500 CPU on anautomated basis. Automation of certificate management saves manual effort in giving the CPUa new configuration, for instance, after a certificate's validity period expires and the CPU isredownloaded. In addition, you can use the GDS push management functions to transfer2 Security mechanisms on the S7 CPUSecurityArticle ID: 90885010, V3.0, 11/2022 16© Siemens AG 2022 All rights reservedupdated certificates and lists in the CPU's STOP and RUN states. More information on OPC UAcertificate management with GDS can be found at link \6\ in chapter 4.3.2.2 Access protectionAccess to the CPU should only be granted to authorized persons, processes and devices. Thisentails an on-site access restriction and system access to the CPU.2.2.1 On-site access restriction (S7-1500)CPU lockThe SIMATIC S7-1500 has a hinged front cover with a display and control keys. It must beopened in order to insert or remove the SIMATIC Memory Card, or to manually change the CPUoperating state. To protect the CPU against unauthorized access, this front cover can beadequately secured with the locking tab. Your options include:• Securing the front cover with a padlock, or• Attaching a sealFigure 2-3 CPU lockDisplay lockThe SIMATIC S7-1500 additionally offers a password authentication function on the display. It ispossible to configure a CPU access password for each access level. If access is disabled, theuser receives a message in TIA Portal that the password is currently invalid. This on-sitedeactivation can, for example, offer additional protection against undesired, invalidconfigurations. The legitimation setting for the password is only active when the CPU is in RUNmode. If the CPU is in STOP mode, access with the passwords remains possible.To protect the CPU functions that can be operated from the display, a display password can bedefined in TIA Portal. This is accomplished in the CPU properties under "Display > Password".Due to the restricted character set and the difficulty of entering characters with the display keys,the password in this case is limited to uppercase letters and numbers.NoteIf the CPU is in STOP mode, access with the appropriate password is possible regardless ofthe setting on the display.2 Security mechanisms on the S7 CPUSecurityArticle ID: 90885010, V3.0, 11/2022 17© Siemens AG 2022 All rights reservedFigure 2-4 Display lock2.2.2 Project access protectionTIA Portal provides a user management function (UMAC – User Management and AccessControl) for projects. It allows you to create and manage users and roles in your project. Youcan also protect your project and define which user is allowed to perform which functions. Whenyou set up project protection, you are created as the project administrator. Then you can createadditional users and assign them roles with certain rights. After project protection is enabled, theproject can only be opened and modified by authorized users.Note Note that project protection cannot be removed once set up.The project administrator can add the following users and user groups to a project:• Local project users:Local project users are users who are defined and managed in a TIA Portal project. Theseuser accounts are valid only for this one project. Using project user accounts is a good ideawhen the entire automation solution is created within one project.The system additionally creates the local project user "Anonymous". This user does notneed to authenticate itself with a password. You can use roles to grant this user certainrights. Note that your project's security will be greatly diminished if you assign this user toomany rights. The anonymous user "Anonymous" is disabled by default. It cannot be deleted.• Global users and user groups:These user accounts are defined and managed outside of TIA Portal in UMC (UserManagement Component). You can import global users and user groups into the variousTIA Portal projects that these users will be working on. Adding users and user groups fromUMC requires the corresponding rights in UMC. Global users can also use the single signon method to authenticate themselves.UMC – User Management ComponentAdditionally, you can install the "User Management Component UMC" software package on oneor more computers. It provides central user management. This creates a system ofinterconnected UMC installations (UMC ring server, UMC server). In this UMC system, you candefine users and user groups, or import them from a Windows Active Directory. When UMC isinstalled, you can access the UMC server from TIA Portal in order to add users and user groups(defined on the UMC server) to the TIA Portal user management. In this way you can alsoassign users and user groups the necessary function rights to a TIA Portal project via roles.Within TIA Portal, however, you cannot modify the data of the users and user groups that wereadded from UMC. As a result, for example, you cannot change passwords or other data of UMCusers or UMC user groups even if you are an administrator in the project. This is only possiblein UMC. You nevertheless have the option of synchronizing the user management in TIA Portalwith UMC, and you can check the synchronization status. This allows you to fix inconsistenciesbetween the global users and user groups in UMC and the UMC users/user groups that havealready been imported into TIA Portal.