Integrity check for automation projects

Available from firmware release 2025.0 and PLCnext Engineer 2025.0

In addition to other measures of Industrial cyber security with PLCnext Technology, the integrity of the PLCnext Engineer project on the PLCnext Control device can be checked before loading. This way you would detect any tampering with your data en route or on the controller. The check encompasses the unaltered origin and state of binary data, i.e. programs and sources of the PLCnext Engineer project for both safety-related and standard projects. If you chose the strictest reaction to a suspected integrity breach, the binary data wouldn't even be loaded into the memory.

Note: This feature is different from the PLCnext Engineer feature described in the online help topic regarding the Project integrity check. That is a mechanism to detect whether a PLCnext Engineer project has been altered on the host computer or any other file space by other means than PLCnext Engineer. That's independent from an integrity check for an automation project downloaded to the controller.

The integrity check described here works as follows:

Every time you're changing something in the automation project the hash values and signature are changing, too, and are then transferred to the controller together with the project data. Note: If you only make changes to the settings for the integrity check, then the signature changes also. Then a project change must also take place so that the signature change/addition is noticed, and when writing to the controller both project data and signature are renewed.

On PLCnext Control devices with firmware release ≥2025.0 this feature is an option but enabled by default on the basic level. Checking the project integrity is based on either the hash value of the project package or on a digital signature derived from the data. Managing this feature on the controller is done via the Web-based Management 2 (WBM 2). Applying the signature (if chosen, see level of signature verification) can be done by means of PLCnext Engineer ≥2025.0.

Note: As of now, the integrity check is integrated in PLCnext Engineer only for project downloads by means of the Write and start project feature. Other means to distribute an automation project or an application, such as downloading it to the controller from the PLCnext Store, via WBM 2 or via Device and Update Management (DaUM), will be implemented in PLCnext Engineer later. Manual handling is possible but not recommended.

Prerequisites

Before starting the setup procedure, decide how you want to proceed in these regards:

Which base for timestamps?

Two timestamps can be relevant during the integrity check:

One timestamp is set during signing the automation project on the host computer; the time derives from the system time of the host computer.
Another timestamp is set when the signed project was seen by the Time Stamp Authority (TSA) server; the time derives from the system time of the TSA server.

Before implementing the integrity check feature with a Signing certificate, setting up a time server is recommended to make sure the time setting on the host computer is always accurate.

Tip: Both the TSA server and the NTP server can be installed on premise to prevent access via the Internet. Also, both server types are available as external resources; e.g. the digicert® provides a trusted RFC3161 timestamp server under the URL http://timestamp.digicert.com, and the TSA certificate chain for downloading.

Which level of signature verification?

Basic level: only hash value verification (this is the default setting)
For verifying that the computed hash value of the project package file is still the same, no Signing certificate is necessary. See Checking project integrity for more details.

Advanced level: signature verification
The Signing certificate generated during the procedure must be present in the Trust Store named Code Signing on the PLCnext Control device.

Highest level: signature verification with long-term signatures
The Signing certificate generated during the procedure must be present in the Trust Store named Code Signing on the PLCnext Control device, and in addition only signatures that contain a signed timestamp are accepted.

For that, the Time Stamping Authority (TSA) calculates another hash value from the project signature and the TSA's current timestamp. This additional signature is added to the signed project, and it must also be present in the Trust Store named Code Signing on the controller for this level of verification.

Which reaction to a suspected integrity breach?

Either the project continues loading and the PLC goes into PlcState.Run, then a  Warning is displayed (this is the default setting);
or the project stops loading and the PLC remains in PlcState.Ready, then an  Error is displayed.

Setting up the project integrity with signature check

Prepare a signing certificate
1. Generate a certificate via an official Public Key Infrastructure (PKI); you'll need the path to the .pem file later in step 2.
2. Save the certificate chain and private key as a PKCS#12 container file (suffix *.pfx or *.p12) which is secured by a password. You'll need the path to this certificate file and its password at the last task in step 3.
3. From the PKCS#12 file, extract the root CA certficate (show hintshow hint) and save that .pem file separately.
  
  Tip: Extracting parts from the PKCS#12 container can be done by means of the XCA tool,
  or with an openSSL command, e.g. openssl pkcs12 -nokeys -in store.pfx -info > chain.pem.
Prepare the controller
1. Enter the Web‑based Management of the controller; see WBM2.
2. Optional, but recommended: Open the Configuration → Date & Time page and set up a time server for the controller; see System time.
3. Open the Security → Certificate management page and put the .pem file of the root CA certificate into the Code Signing Trust Store on the controller; see Certificate management.
4. Open the Security → Project integrity page and set up the Project integrity check:
  1. At Integrity check mode, adapt the reaction to a suspected integrity breach to your needs (details see Prerequisites).
  2. At Signature verification, adapt the verification level to your needs (details see Prerequisites).
  3. Save & apply the changes made on this WBM 2 page.
    ↪ From there, the device cannot receive an automation project out of PLCnext Engineer until the tasks in step 3 are done.
Prepare the automation project
1. In PLCnext Engineer, open (or create) a project from a template ≥2025.0 for your controller.
2. Double-click the controller node to show the editor in the center panel.
3. Click the Package Signing editor tab (show hintshow hint) and perform the steps for Creating a digital signature and add the time server settings.
  
  Note: If the Package Signing editor tab doesn't show then your PLCnext Engineer project is not generated from a ≥2025.0 template. For updating a project to the current template, proceed as if you were replacing a device.
Use the integrity check with your automation project
1. When opening the PLCnext Engineer project on your computer you'll always have to enter the password for the certificate container.
2. After changing something in your automation project in PLCnext Engineer, save all changes.
3. Connect to the controller and issue a Write and start project command.
  ↪ The current timestamp is added to the project and signed with the Signing certificate implemented in the former steps.
  ↪ The digital signature for this state of the project is generated in PLCnext Engineer.
  ↪ The project is transmitted to the controller and the integrity of the binary data is checked by means of the certificate.
  ↪ If something suspicious has happened then an error or at least a warning is displayed.