Preventing Unauthorized Writing to a PLC Program

Hello,
I want to prevent anyone else from being able to write to my PLC program without my permission. Is there a way to do this?
Thank you.

Hi David,

There are two ways I interpret this question:

  1. Is there any way to prevent unauthorized edits to the source code?
  2. Can I prevent unauthorized changes to the programs actually running on a PLC?

For point 1, there are a couple of previous threads on the topic that I’ll link here:

In summary, the best practice in this case is to put the code you want to protect within a library. You can then export that library in binary format. Anyone who has this library will not have the human readable source code but only machine code. If you’re concerned about unauthorized changes, then I recommend using a version control system like GitHub. This allows you to track changes by user so you can always be sure of who last edited the source code you’re working with.

For point 2, there are some settings you can use. Keep in mind that B&R systems contain only compiled machine code. This means that no one can connect to the target and find your source code, so in order to transfer changes they’ll need your Automation Studio project. You can prevent unauthorized transfers by:

  • Not allowing USB installs or updates (set in the CPU Configuration). Keep in mind that if someone is physically able to access the target and put it into BOOT mode, they’ll still be able to use a USB stick to wipe the target and install a project.
  • Disabling SNMP in the Ethernet settings. This will require anyone connecting to the PLC via Ethernet to know the IP address rather than allowing them to browse for the target.
  • Requiring authentication (username and password) to establish an ANSL connection to the target from Automation Studio
  • Disabling ANSL communication altogether. This will prevent anyone from being able to connect to the PLC from Automation Studio. This should only be used in extreme cases because if you do this and you need to make a change, your only option will be a USB install.
1 Like

Hi, Marcus. Thank you for your reply.
I’m using port 11169 for port forwarding from outside to use the write function. However, I want to restrict access to the write function for external users using a password method. Can I solve this with an ANSL connection?
Thank you.

Hi,

you can setup user authentication (username + password) and/or cerificate based authentication (ANSL with SSL encryption) for the online protocol.
But in both cases, you can’t differentiate between read and write access. So by now, if a user is able to authenticate, he always have read and write access via the online protocol.

Best regards!

2 Likes