APPLICATION NOTE
AC500 V3 - ENCRYPT AND SIGN YOUR
APPLICATION
2 3ADR010707, 3, en_US
Contents
1 Introduction ................................................................................................................................ 3
1.1 Scope of the document .............................................................................................................. 3
1.2 Compatibility ................................................................................................................................ 3
1.3 Overview ....................................................................................................................................... 4
2 User management and encrypted communication ................................................................. 5
2.1 User management .......................................................................................................................5
2.2 Encrypted communication ....................................................................................................... 6
3 Encrypt the application with certificate ................................................................................. 8
4 Create self-signed certificates with Win10 ........................................................................... 14
5 Sign the application with certificate ...................................................................................... 18
5.1 Import Certificate into Automation Builder ........................................................................ 18
5.2 Change policy to signed only ................................................................................................. 20
6 Delete certificates and user management ............................................................................. 22
6.1 Delete certificate for signing the application .....................................................................22
6.2 Deleting a certificate for the encryption of boot application, download
and, online change .....................................................................................................................22
6.3 Deleting a certificate for the encrypted communication .................................................23
6.4 Delete the user management..................................................................................................23
7 FAQs .......................................................................................................................................... 24
AC500 V3 - ENCRYPT AND SIGN YOUR APPLICATION
3ADR010707, 3, en_US 3
1 Introduction
1.1 Scope of the document
This Application Note describes how to protect the project and the running application in an
AC500 V3 PLC.
To archive this a user management is used, the communication and the boot application are
encrypted with a certificate from the controller in order to prevent unauthorized access and
to make sure that it cannot be exchanged.
In addition, we want to sign the application on the controller.
It is not possible to just sign the application. It’s always required to encrypt the application as
well. It’s possible to encrypt the application without sign it.
To do this, a corresponding certificate must be created on the controller and installed in the
Windows Certificate Store of your computer.
Note: Be sure you have a battery plugged to you PLC. This is required to re-
store the date and time inside the PLC. Certificates have always an expira-
tion date.
All available certificates are located in the Windows Certificate Store “certmgr” on your com-
puter. There are two types of keys:
Certificates with private keys
for file decryption
for digital signatures
Certificates with public keys
for file encryption
for verifying digital signatures
1.2 Compatibility
The application example explained in this document have been used with the below engineer-
ing system versions. They should also work with other versions, nevertheless some small ad-
aptations may be necessary, for future versions.
AC500 V3 PLC
Automation Builder V2.6.0 or newer
4 3ADR010707, 3, en_US
1.3 Overview
Authentification &
Encrypted communication
Bootproject
Encrypted & Signed
The steps described in this Application Note can be used to protect the Application. In the
first step the communication between computer and AC500 V3 is authenticated and en-
crypted to make sure that no unauthorized person can access the PLC.
In the second step the download and boot application become encrypted and signed to
make sure that nobody can replicate the boot application or load a not trusteed applica-
tion.
AC500 V3 - ENCRYPT AND SIGN YOUR APPLICATION
3ADR010707, 3, en_US 5
2 User management and encrypted
communication
2.1 User management
To prevent that any unauthorized person can access the PLC, overwrite the Application,
change the firmware or similar a User Management is needed.
How the User Management can be activated and configured is described in the Application
Note AC500 User Management with V3 in chapter 2.2 in this example the default user Man-
agement is used.
CAUTION!
Please check and remember your Administrator password.
There is also no workaround to login to the PLC without this password. If
this happens, the PLC must be replaced!
Only an Administrator has been added to the user management and the password has been
set.
If now a project should be downloaded an authorized user needs to log in.
If a user who don’t has username and password tries to log in or update the firmware is not
able to as he has insufficient rights. Each successful or failed login attempt will be tracked
inside the Audit Log of the PLC.
6 3ADR010707, 3, en_US
2.2 Encrypted communication
As described in the last chapter only authorized user can log in to the PLC.
To ensure that nobody can read the login data you sent from your computer to the PLC an en-
crypted communication must be used. The steps to archive this are also described in the Ap-
plication Note AC500 User Management with V3 in the chapter 2.2.1.4.
Afterwards go to the Communication Settings.
1. In the tab “Device” choose “Encrypted Communication”
Now the communication between the PLC and the PC is encrypted so that nobody can get
any log in information or read any system values. This setting is only done locally on your Au-
tomation Builder and will be saved within the project.
Note: In case you want to login from different computers to the controller,
you will need the appropriate certificate for each computer. Otherwise the
communication from other PCs is not encrypted and attackers could read
confidential data.
In the next step the comunication policy from the device is changed to allow only encrypted
communication. Then it is not possible to log in without an encrypted communication.
2. Click “Change Communication Policy
3. Change the communication policy to “Enforced encryption
AC500 V3 - ENCRYPT AND SIGN YOUR APPLICATIO N
3ADR010707, 3, en_US 7
It is also possible to force the usermanagement here. Then it is not possible to delete the
usermanagement from the PLC. The settings to force the signing of an application is
described in chapter 5.2.
In the next step the communication from another PC to this PLC shall be established.
4. When trying to log in without encrypted communication following error will pop up
5. Use also on the second computer encrypted communication like shown in step 1
6. With the next login the certificate for the encrypted communication will be stored in your
certificate manager on your PC. Click “OK” to confirm
8 3ADR010707, 3, en_US
3 Encrypt the application with certificate
In addition to secure the communication to the PLC also the stored boot application can be
encrypted to make sure that nobody who could access the PLC is able to duplicate the exist-
ing boot application for other PLCs.
In this chapter, the boot application, Download and Online Change gets encrypted.
There is a project with an application that must be downloaded to the controller as an en-
crypted boot application. In the Windows Certificate Store of a computer, the certificate of
this controller for encrypting the application will be installed.
Note: In case you want to download the application to different controllers,
you will need the appropriate certificate for each controller.
1. Login to your PLC
2. Open the “Security-Screen” view by double-clicking the symbol in the status bar or
by clicking “View Security-Screen”
3. Go to “Devices” tab and click the button to refresh the list of available devices and
their certificate store
You can see that there are no certificates available. If the certificate already exists,
some of the steps below can be skipped.
AC500 V3 - ENCRYPT AND SIGN YOUR APPLICATION
3ADR010707, 3, en_US 9
4. Open the “Project” tab and double-click the “Application” entry in the area “Encryption
of boot application, download, and online change”
5. The “Properties” dialog of the Application opens
6. Select the “Security” tab and select “Encryption with certificates” as the “Protection”.
10 3ADR010707, 3, en_US
7. Click on the “Encryption Wizard” button
8. Click on “Start” and select the Key Length “4096” and the Validity period in days:
9. Confirm with “OK”
AC500 V3 - ENCRYPT AND SIGN YOUR APPLICATION
3ADR010707, 3, en_US 11
10. The server certificate on the PLC will be created. Also, the certificate will be installed on
the Cert store in Windows.
11. Click “Close”
12 3ADR010707, 3, en_US
12. The certificate is automatically added for the encrypted application. Please remove the
checkbox for “Digitally signing application code” if it is set.
This will be handled in chapter 5.
13. Confirm with “OK” and find then encrypted application added
14. Go to “Devices” tab and click the button to refresh the list of available devices and
their certificate store
You can see that the certificate is available
AC500 V3 - ENCRYPT AND SIGN YOUR APPLICATION
3ADR010707, 3, en_US 13
15. When you go to your certmgr.msc, see chapter 4 step 4, navigate to “Controller Certifi-
cates” you can see the installed certificate on your Certificate Store on Windows
16. Open the “Users” tab in the “Security-Screen”.
Activate the option “Enforce encryption of downloads, online changes, and boot appli-
cations” in the “Security-Level” area.
17. Logout of the PLC
18. Select Build Clean All
19. Login to the PLC
20. The certificate is now used to encrypt the application.
14 3ADR010707, 3, en_US
4 Create self-signed certificates with Win10
In the face of increasing security precautions and security issues, it has become of funda-
mental importance to websites and services to be implemented with always activated secu-
rity. Various service providers now need secure connections, also for development environ-
ments. In most cases it is not possible to use cryptographic certificates for the local
development environment any developer, but you can easily get self-signed certificates for
free.
These certificates can be used in local environments and cover the security requirements dur-
ing the development of the solution.
CAUTION!
Self-signed certificates should NEVER be used on production or public
websites and networks.
PowerShell in Windows 10 includes the command New-SelfSignedCertificate. This command
can be used to create self-signed certificates.
1. Open a PowerShell window in Administrator mode
2. Enter the following command:
New-SelfSignedCertificate -type CodeSigningCert -KeyLength 4096 -Subject
"E=test@example.com,CN=Test" -FriendlyName "SelfSignedCertForSigning" -
CertStoreLocation "Cert:\CurrentUser\"
3. The result will be a Thumbprint
AC500 V3 - ENCRYPT AND SIGN YOUR APPLICATION
3ADR010707, 3, en_US 15
4. Start the certmgr.msc via PowerShell
5. A new window will open
Navigate to Personal Certificates
Here you can see the currently created self-signed certificate with private key
6. Select the Test certificate, right click and select:
All Tasks -> Export…
7. Click Next
16 3ADR010707, 3, en_US
8. Select: No, do not export the private key
9. Select DER encoded binary X.509 (.CER)
AC500 V3 - ENCRYPT AND SIGN YOUR APPLICATION
3ADR010707, 3, en_US 17
10. Choose a path and name e.g. MyCertForSinging.cer to store the certificate.
Confirm with Next
11. The final result will be shown:
12. Confirm with Finish
18 3ADR010707, 3, en_US
5 Sign the application with certificate
In this step, boot application becomes signed. Currently AB allows only to sign the applica-
tion, when you also encrypt the application. The encryption of the application was already
handled in chapter 3.
5.1 Import Certificate into Automation Builder
1. Open the “Security-Screen” view by double-clicking the symbol in the status bar or
by clicking “View Security-Screen”
2. In the “User” tab, select the user profile for which the communication will be en-
crypted. By default, the specified user profile is the one you have used on your com-
puter to sign into Windows.
3. Click the button in the “Digital signature” area. The “Certificate Selection” dialog
opens.
AC500 V3 - ENCRYPT AND SIGN YOUR AP PLICATION
3ADR010707, 3, en_US 19
4. Select the certificate with a private key from the list “Personal certificateswhich was
created in chapter 4.
Certificates with a private key are identified by the symbol.
5. Click on the arrow up button to add the certificate to the upper part of the dialog
6. Click “OK” to confirm your selection. The selected certificate is displayed in the “Secu-
rity Screen” in the “Digital signature” area.
7. Activate the option “Enforce signing of downloads, online changes and boot
applications” in the “Security-Level” area.
8. Go to “Devices” tab and click the button to refresh the list of available devices and
their certificate store.
Select “Trusted Certificates”
9. Import the certificate (MyCertForSinging.cer), created in chapter: 4, to the “Trusted Cer-
tificates” in your PLC, using the symbol.
10. Once imported the confirmation screen appears
20 3ADR010707, 3, en_US
11. The imported certificate is now visible in the “Trusted Certificates” area.
12. Logout of the PLC
13. Select Build Clean All
14. Login to the PLC
5.2 Change policy to signed only
In the last chapter the signing in one project was activated. But another project which is not
encrypted & signed can also be loaded from the CPU. In this chapter it is explained how to en-
force the signing of projects.
1. Open the Communication Settings
2. Click Device Change Runtime Security Policy
3. In the section Code Signing the policy is changed to Enforced signing
AC500 V3 - ENCRYPT AND SIGN YOUR APPLICATION
3ADR010707, 3, en_US 21
4. Confirm with OK
In future, only signed boot applications can be loaded. In case an unsigned application is
downloaded following error pops up.
CAUTION!
A not signed boot application can be downloaded to the PLC which is re-
placing the existing boot application. When trying to load this not signed
boot application the error occurs. Nevertheless, the old boot application
is already replaced so not boot application is available anymore.
22 3ADR010707, 3, en_US
6 Delete certificates and user management
Certificates can be deleted in the “Security Screenview, either directly on the “Usertab or in
the “Certificate Selectiondialog.
6.1 Delete certificate for signing the application
Dialog “Security Screen”, tab “User”, “Digital signature”.
Select a certificate and click
Remove the checkboxes in the “Security Level”.
6.2 Deleting a certificate for the encryption of boot
application, download and, online change
1. In the “Security Screenview, on the “User” tab, remove the checkbox for “Enforce en-
cryption of downloads, online changes, and boot applications
2. In the “Security Screenview, on the “Projecttab, in the bottom view, double click the
entry for the “Application”.
3. The “Properties dialog for the application opens with the “Encryptiontab.
4. In the “Certificatesgroup, click .
In the “Certificate Selectiondialog, delete the certificate by selecting the certificate
and click
5. Click “OKto close the “Certificate Selectiondialog.
6. The certificate is no longer displayed in the “Properties” dialog.
7. Remove the checkbox in the “Certificates” section for “Digitally sign application code”
8. Set the “Encryption technology” to “No encryption
9. Click “Apply” and “OK”
10. In the “Security Screenview, on the “Device” tab, select the PLC and remove the certifi-
cate for “Encrypted Application
AC500 V3 - ENCRYPT AND SIGN YOUR APPLICATION
3ADR010707, 3, en_US 23
6.3 Deleting a certificate for the encrypted
communication
1. In the “Security Screenview, on the “User” tab, remove the checkbox for “Enforce en-
crypted communication
2. In the “Security Screenview, on the “Device” tab, select the PLC and remove the certifi-
cate for “Encrypted Communication”
6.4 Delete the user management
1. Login as Administrator
2. Right click to the PLC_AC500 in the device tree
3. Select reset origin Device
4. Confirm with yes
5. Wait about 30s, you’ll be logged out
6. Login Again, you’ll be asked for Username and Password
7. Type in and confirm. The error message “Too many Tries” is shown
8. Now the user management is deleted and no more password is needed
24 3ADR010707, 3, en_US
7 FAQs
Q1: What’s wrong when I got the Error: Operation aborted, no valid certificate for signing
found
A1: If you do not want to use Code Signing, it could happen, that you have selected the “Digi-
tally sign application code” is selected
If you want to use Code Signing than, please be sure you have imported your certificate.
__
__
ABB Automation Products GmbH
Eppelheimer Straße 82
69123 Heidelberg, Germany
Phone: +49 62 21 701 1444
Fax: +49 62 21 701 1382
E-Mail: [email protected]m
www.abb.com/plc
We reserve the right to make technical
changes or modify the contents of this
document without prior notice. With re-
gard to purchase orders, the agreed par-
ticulars shall prevail. ABB AG does not ac-
cept any responsibility whatsoever for
potential errors or possible lack of infor-
mation in this document.
We reserve all rights in this document and
in the subject matter and illustrations con-
tained therein. Any reproduction, disclo-
sure to third parties or utilization of its
contents – in whole or in parts – is forbid-
den without prior written consent of ABB
AG.
Copyright© 2023 ABB. All rights reserved