we’re asked by our cybersecurity team how (application) software updates can be securely installed on the used PLC (in our case Power Panel C50).
I have seen that signatures are used by B&R for installing the TerminalOS of the C50. Is there a possibility to sign the update package of our application software as well? We’re using the install method via USB, where I generate the install package in AS. I could not find any information in the AS help.
The second question was, if there are any control mechanisms implemented when starting the application on startup. Is the bootloader performing any checks of a valid and unmanipulated application?
Option 1: update software via USB Flash drive.
Is quite similar to the previous version, the point is that the upgrade is performed at the start-up of the application and not by request of the application.
In this method (the one that you are using) there is no option for certificates.
Option 2. Installing a project installation package from the network
You can use the option to have a FTP service.
this will requiere a SSL connection, and that connection requieres certificates
It means, that the PLC will place a “no signed-project” in a folder where is mandatory to access there to be “signed”.
Option 3: update software via application and library ArProject B&R Online Help (br-automation.com)
You can have a package, prepared in the USB memory, and via applicatiopn update.
There is options to check Configuration ID and Configuration version.
There is no way to use certificates linked to the package itself
The second question was, if there are any control mechanisms implemented when starting the application on startup. Is the bootloader performing any checks of a valid and unmanipulated application?
The answer is no. limitations verifications are described in the “point 3”
Ideas to increase de cibersecurity
1-dissabe the USB installation per default
2-use the installation via FTP via network + SSL.
Hi @kovarj, it is still ongoing and no fully acceptable software update solution has been found yet.
Because the machine will be operating in an environment without network connection (not even local network), the only acceptable solution option 2 (using FTPS) is not possible.
So we have to stick to the local update via USB. Here we decided to disable auto. USB update on power-on for security reasons. Instead we now use the service MpBackup (B&R Online Help (br-automation.com)) where we can manually trigger an update in a dedicated system menu. “More” security is ensured here by
the update can be only triggered after user authentication (make update button visible for certain user roles)
the update files on the USB stick have to be placed in a folder and named according to a defined name (otherwise the update will fail)
That’s little more security but still not full to our satisfaction. An attacker can still gain access to the machine and the required folder name to manipulate the machine, even if it’s now less probable. Since the machine is a medical device, the requirements from the FDA are clear in this point. The application in the memory as well as new software updates must be cryptographically protected or signed.
thanks for feedback and description of your solution. Even if you are not fully satisfied, I believe can be inspiration for others. So I marked your explanation as a solution. You can extend this topic any time in the future.
Option 1: update software via USB Flash drive.
