White Paper
Safe Foundations
Security begins at the start of the machine or plant engineering process. It concerns the following elements:
Controls and Development Environment
When plant engineers integrate control systems in their machines, the producers of the control system
provide them with a development environment in the form of a dedicated software component. Each
engineer on the project will have a personal development environment. It is in the interest of the
producers of the control systems that these engineers will have the right licenses for their part of the
development process. As the finished machine can include several controls, the package offered can thus
include multiple development environments and control systems.
Hardware, RunTime Environments, and Operating Systems
A control system is basically a combination of hardware and a runtime environment, often using real-time
operating systems like VxWorks, Windows Embedded, or Embedded Linux to operate, although there are
runtime environments that can operate without an operating system around them.
The runtime environment is again a software component offered by the control system producer. It
includes unique know-how and thus is an essential building block of the producer’s business model that
deserves to be protected.
IEC 61131 Programming Language and Applications
The maker of the machine uses the development environment provided by the control-system producer
to script the desired application in an IEC 61131 programming language. The application tells the control
system how the machine is to fulfill its intended purpose. The unique know-how of the machine engineer
consists in this interaction between the machine and its controls. How sensors, motors, and axes work
together determines how fast and precise the machine operates. Its capabilities are the USP of the
machine engineer, and the end product of substantial investments into research and development. The
assets invested in R&D for this purpose are intended to preserve the engineer’s competitive advantage,
an exceptionally valuable and sensitive asset.
Step-by-Step Protection with CodeMeter
Operating systems, runtime environments, development environments, and applications form a secure chain.
Protected Applications in the Environment Development with the AxProtector Technology
First, the integrated development environment uses the AxProtector technology to encrypt the application
before its transfer to the runtime environment. This step can be visualized with a container, in which the
development environment locks the application, sealing it with a ‘signature’.
Protected Applications in the Runtime Environment
The runtime environment in the control system recognizes that it has received the application in a closed
container. It knows where to find the right key for that container and how to unlock it. Before it unlocks
the container, it checks the signature (the seal). If the signature is valid, it opens the container and
retrieves the application. This seal offers additional protection against sabotage. Unauthorized containers
with malware are not opened. This protected route prevents hackers from tapping the transmission. The
application thus moves from the development environment to the runtime environment in the most
secure way possible.
Development
environment
Device
CoDeSys + CodeMeter
protected
AxProtector
IxProtector
Implemented
1
2
4
5
7
8
9
0
ESC
3
Without protection
CoDeSys + CodeMeter
protected
6
Boot application
MENU
Device
Development
environment
POS1
AxProtector
IxProtector
Implemented
Boot application
1
2
4
5
7
8
9
0
ESC
MENU
3
6
POS1
The integrated
protection via
AxProtector ensures
that the control
runs only with
dongle license and
verified software
With protection
5