TIA Portal S7-1500 copy protection

Manglemender

Member
Join Date
Jul 2007
Location
Lancashire
Posts
1,288
All,

We are looking into the best ways to protect IP in PLC/SCADA code and the latest offerings included with TIA portal seem much better than previous incarnations. Passwords, tying code to processor serial number, knowhow protect etc.

Has anyone come across instances where this security has been compromised?

Nick
 
In the old days, I had heard of Siemens unlocking an S7300 block under specific circumstances, or Siemens China doing it just for fun.

I have not heard of this happening with 1500s, and Siemens has repeatedly said that they can't (instead of just "won't" like before). Supposedly it is encrypted with the password you provide.

I've heard of some security researchers doing interesting things with a live PLC, but assumption #1 always seems to be that the device has no password. To be fair, I almost never see anything except a safety password, but if you are actually using it, I haven't heard of the HW passwords being defeated either.

I mean, obviously brute force methods always work given enough time, but I think that's assumed in the whole discussion.
 
@MK42

Thanks for the reply. Unlocking blocks in S7300s certainly wasn't very challenging but S7-1500 seems better protected.

As you say, brute force is an option so it comes down to using a "strong" password which must then be stored somewhere as no-one will remember it and then the storage becomes the weak point.

Nick
 
@MK42

Thanks for the reply. Unlocking blocks in S7300s certainly wasn't very challenging but S7-1500 seems better protected.

As you say, brute force is an option so it comes down to using a "strong" password which must then be stored somewhere as no-one will remember it and then the storage becomes the weak point.

Nick


I guess the other thing to note is that although the source is protected, the compiled version could be theoretically decompiled. Also, if your proprietary special sauce is just things like timing and temperature setpoints, those are typically easily observable outside the PLC.


As for the password storage.... yeah. I know Siemens created a "Password Provider" API (it's mentioned in the help file), but then they proceeded to keep it proprietary instead of releasing it as part of Openess. WIBU is the only company who seems to have done anything with it so far; you might want to take a look at their solution if you want to abstract the passwords away. I've never tried it myself.

https://www.wibu.com/us/products/embedded-security-kits/siemens-tia-portal.html
 

Similar Topics

Hi all Trying to remotely connect to a TIA Portal PLC. I can ping it without a problem but can't get my software to connect. I've opened port...
Replies
8
Views
281
Hello guys, this is my first post on this forum and i hope u can help me. Im doing a project where we need to read data in the Wincc Professional...
Replies
0
Views
1,012
Hello everyone, i had a recent project that i was working on before. Now since i didnt have any PLC's before i used to practice and chose the...
Replies
4
Views
2,471
Hi All Working with Tia v16 on a PLC 1515F I am getting older by the minute, beating on indirect addressing for a DB I have a DB with 65 row of...
Replies
7
Views
3,746
I have a Siemens 1511C that I programmed, I have V16 Pro, anyone know if you can program them with TIA Basic or do you need Pro? I saw a bunch of...
Replies
6
Views
2,274
Back
Top Bottom