Fun lessons from WinCC OA. Encrypted communications with PLC Simatic S7-1200
Siemens, in version 17 of TIA Portal Step7 for FW ≥4.5 (S7-1200) and FW ≥2.9 (S7-1500), has embarked on a path of light enforcement to increase the level of information security. Now TIA Portal softly offers to set a password for the CPU certificate store, a password for reading / writing the CPU program, a password for communicating with the HMI and, of course, encrypted communication using a certificate. All this, of course, can be disabled, but why disable what is offered out of the box? The events of this century showed the importance of the information security of industrial automation systems, and also showed what happens when protecting systems “from an honest person” (I’m talking about stuxnet, yes). The main reason why, it seems to me, encryption is not used is a lack of understanding of the principles of operation and inertia of thinking (our grandfathers did not hear about any TLS, and neither will we). Within the framework of one TIA Portal project, it is still more or less clear, but what about the connection of “non-portal” systems? Let’s consider such a connection using the S7-1500 FW2.9 and WinCC OA 3.18 as an example. Since the main task is the setting on the part of WinCC OA, on the TIA Portal side we will not use global security settings, we will manage with a “simple” project. By the way, here are the security settings that appear after the wizard is executed when adding a CPU to the project.
This sets the PLC password to access sensitive data such as certificates.
And these are the levels of access to the PLC by password. They are divided into “no password needed”, “read only data + communication with HMI”, “only communication with HMI” and “password for everything”. In this case, the “password for everything” mode is selected and two passwords are set – one password for full access will be known only to the developer of the CPU software (and his boss, but these are organizational measures), and the password for communication with the panel or scud is secretly communicated to the developer of the application of the WinCC OA project.
This tab indicates that we work only through secure communication channels with the programmer, scada and panel, a certificate from the PLC side is selected. Note that the “allow put/get” option is not available. Everything is correct, because in the words “put / get” the letter “s” stands for security, and in Russian: “such a mechanism cannot be used at all with encrypted communication.”
And here we see a list of CPU certificates. And I suggest immediately exporting the certificate from the Portal project somewhere to disk in the form of a file. Let me remind you about organizational measures – this is a very important file, you do not need to upload it to torrents with an exact indication of which object and in which system it is used.
It is mandatory to perform PLC data export. To do this, the free SIMATIC SCADA Export option of the corresponding version must be installed in the TIA Portal.
The PLC data export as an Export.zip file is saved on the desktop of my PC.
Well, now let’s move on to the top level. We create a “legacy standard project” or “standard with basic security settings”, since the project type does not affect the operation of the driver. Add the S7plus driver number 2 to the console and run it.
Now you need to copy the export file and the certificate file to the respective directories of the WinCC OA application project.
Export.zip – to
Certificate – in
Opens the “system management” module and go to the “S7 drivers” item.
Click the Create button, set the connection name and proceed to its configuration.
We select TIA Project as the source of tag names and configuration, check the driver number (2) and click OK. In the next window, select the project name (Export, we have already copied it) and the name of the PLC within the project, this is PLC_1. The PLC can be deployed and its tags can be viewed. At the end, click OK.
Checking the PG/PC settings. My laptop looks into the controller’s network with a wireless interface and communicates in TCP / IP mode, that’s right.
If right now in the connection window we try to establish a connection, then nothing will work, we will see a message in the event log about the impossibility of connecting, because TLS. So, we don’t even try, we continue the settings … Although, no. Let’s try! Yiiiiii: SEVERE, 88/s7plus, S7PlusConnection, async command type 1, get_request_error, _myS7enc, Response from PLC, when TLS must be used (TLS_only). (-6772897069067010568)
Obviously, it does not work because encryption is not configured. Let’s go to the advanced settings tab and check the Use TLS checkbox, leave the file as the source of the certificate, and we have already copied the file to the desired project folder.
Put a tick
Choose a file
Now it remains to specify the password. But what? We have three of them. Obviously, the password to access the PLC’s secure data is not what we need. What remains is the full access password and the HMI password. We enter the HMI access password, and we are immediately offered to generate a key from WinCC OA.
Click “Create”
This private key is created in the project’s config folder.
We establish a connection using the appropriate checkbox and look at the log.
In fact, no one forbids us from WinCC OA to use the full access password. It will also work, because Full Access includes HMI as well. If you suddenly mistyped or entered the wrong password, the log will be clogged with the following messages:
SEVERE, 54, Unexpected state, NotificationHandler, handle_notification, _myS7enc, Invalid value retrieved for subscription. Access denied = 1, Out of memory = 0, Status = 10
Access denied = 1, i.e. Access is denied.
In addition, the situation of the absence of a password is possible, as in the example below.
We leave the password line empty, and everything works fine. Communication encryption is preserved, and no one will connect without a certificate file.
Next, you need to make sure that there is an exchange at the tag level. To do this, we launch the para module, create a data point in the ExampleDP_Bit type and attach the address config to it.
Set the variable to read. I chose a standard tag from the Clock series (changes its value with a known frequency), select polling, create a polling group and make it active, well, make the config itself active.
Then we make sure that the value of the variable changes.
I hope this simple guide will help many colleagues quickly find the answer to the question “Why don’t we connect to the controller, but connect to the next one by making exactly the same settings.”
