Siemens S7 IP Concerns

Hi,

My company is considering moving to a Siemens S7 based controller for our equipment. We export our equipment primarily to China and are concerned about IP Protection (copy protection and reverse engineering protection). We also need to be able to hide internal data structures that may be used to reverse-engineer our processes.

I'm aware of two steps of protection that the S7 (300 series?) offers. The password protection for the project as well as the Know-How protection for individual code blocks. I have found enough evidence in google searches that both these methods have been hacked. Is there anything that Siemens has that is NOT hackable? I.e. a little more involved than a password? Note that we need to be able to hide/protect ALL the code. Not just pieces of it.

Thanks,
Robbert

Robert
I'm told that Step7 5.5 and the new 3.x cpu's have
128 bit encryption. This make the "cracks" and canopener
programs obsolete.
I have 5.5 but I haven't played with the password stuff yet

Jay

Jay,

Thanks for your quick reply. Encryption is a good thing. I just wonder where Siemens stores the decryption key. Obviously the PLC itself still has to execute the code....

Robbert

Hello,
I am afraid Siemens doesn't have any unhackable protection. I think the only way to protect our code is to obfuscate it as much as possible.

I have tried out the new "Block privacy" that came with STEP7 5.5.
It is fairly easy to implement, but you have to activate and deactivate the protection every time you need to edit the blocks, so you would only use it as the last thing before you ship the machine.
Notice, it only works with firmware 3.2 and up.

I saw a presentation that described how the protection is stored on the CPU with an 128-bit key.
How unbreakable it really is, only time will tell.

NB: For sending machinery to china, you absolutely MUST have a strategy to protect your IP.

Is there any way to hide your IP? I think it is impossible to hide an IP adress on PLC.

And if you have the chance, one way to make your code non-understandable is to seperate it as much as you can and also it is a more expensive way also. One machine I was trying to gather PLC code the programmer who pragramed it also wrote script codes for the HMIs and he/she also wrote the most of the offline calculations(there were lots of them) on a computer in Visual Basic so it ended like a puzzle. 3 HMI all have scripts in it, 2 PLC and a PC with a VB program. But you should be very sure of your code before you go that way beacuse I think it will be a disaster to debug that machine.

This new password thing seemed very insteresting to me also. Siemens is a very popular brand so people wrote so many code to crack passwords and stuff. I think there is no code unbreakable it only needs patience, a lot so it think in future this new encryption technique will also be cracked.

With "IP" he means "Intellectual Property".

Sorry...

I thought you were talking about internet protocol.

Do you want to protect all your code, or just want to make sure specific parts cannot be copied?

If it's the latter, there might be a possibility.
Something not mentioned yet.

Hi Everyone,

Thanks for the great replies! Ideally we want to lock down the entire PLC so only the HMI can talk to it. We don't want the code or data blocks to be exposed in any way, shape or form. I realize that's not really feasible with the Siemens S7 system, but we want to get as close as possible.

Robbert

Break the comms port for programming.

On the provisor that the HMI doens't use this. I know nothing of the hardware.

prehaps if it is such a concern then B+R might be a better alternative. Without the source code your screwed. Well, as far as I know...

New encryption works well...but time will tell. I would also suggest programming math calcs in SCL. Compile them and do not include source code. Security by obscurity to wrap another layer around the onion.

In the words of Winston Churchill - A riddle wrapped up in an enigma

Talk to your local Siemens guy...other options are available.

Step 1:

Create a Dummy FC.
Or you could be nasty and kick em in the nads when they attempt to look/change the code.

Step 2:

Wrap your code using the following template:

When you don't want them to see key parts of your logic
When you want to kick em in the nads for tampering
The BLD 7 and BLD 8 are block identifiers used by the editor to show block calls.
This piece of code needs to be written in the source file and compiled.
Once compiled, both pieces of code will look like:

Effectively hiding your own code.

Other things you should know:
- Downloading these blocks is only possible using Simatic Manager, copy paste from offline to online folder.
- Opening the blocks in the LAD/STL/FBD editor and saving them will delete all the hidden code.
- Opening the blocks in the LAD/STL/FBD editor and downloading them using the editor, will result in downloading the blocks without the hidden code.


Drawbacks:

- Feature is only available within single networks. So depending on the size of your program, it might not be the solution for you.


Things I didn't test:

- FC calls with parameters.
- FB calls.


Hints I can give:

Obfuscate your code and use this little trick to make it impossible to follow.

Wow. It is really working and impressive. You can make your code invisible with this. I think if you use this technique with the new block privacy then it is nearly impossible to solve.

But dont forget to backup your source file really good and the password you encrypted or you yourself may be ruined if a revision on the code is needed.