Security Considerations for Recipe Files
You have to protect components, networks and systems against unauthorized access and ensure the integrity of data.
Besides the general security rules which are defined and described in the help chapter "Security in PLCnext Engineer" of the online help of PLCnext Engineer, the recommendation given in this topic specifically applies to recipe files.
Secure access to SD cards
The recipe files are stored in the remanent (Flash) memory (e.g., SD card) of the higher-level standard controller. Therefore you must implement the secure access to SD cards.
Devices with SD cards require protection against unauthorized physical access. An SD card can be read with a conventional SD card reader at any time. If you do not protect the SD card against unauthorized physical access (such as by using a secure control cabinet), sensitive data is accessible to all.
- Ensure that unauthorized persons do not have access to the SD card.
- When destroying the SD card, ensure that the data cannot be retrieved.
Protection of recipe files on the hard disk and during transfer
Recipe files are plain data, i.e., it is unencrypted data on the harddisk of your computer. The data is therefore unprotected against tampering and theft.
Use a suitable encryption method:- to protect recipe files on your computer.
- to protect the transmission of recipe files, for example, by email.
- to authenticate the origin and authorship of transmitted recipe files with the recipient.
Suitable methods can be provided by encryption and signing tools according to the OpenPGP standard as defined by RFC 4880 (such as PGP, or GnuPG). For encrypting project data on your hard disk, for example, FDE (Full Disk Encryption) tools, such as BitLocker can be used. WinZip archives with password can help protect project data and recipe files.
Furthermore, you can use a version control system with a secured repository to protect your recipe files on hard disk/network drive.
Recommendation: Encryption on the entire data transmission path
- Encrypt data on each storage medium (local disks, your network, in the cloud, portable storage media).
- Only transfer encrypted projects parts or recipe files, for example, by email.
Suitable Tools (e.g., PGP) enable both the encryption as well as signing of emails: Encryption prevents the unauthorized reading of the mail content while the signature is used to verify the integrity and the authenticity of the mail. - Transferred data should remain encrypted on its entire way from the sender to the receiver. This includes that the sent data are stored encrypted at the target system as well after the transmission.