SIEMENS西门子 SIMOTICS SD低压电机 1LE00012CA233AA4

       online access and functionrestrictionthe s7 cpu has four access levels, in order to limitaccess to specific functions. setting up theaccess level andpassword will limit the functions and memory ranges that areaccessiblewithout a password. the individual access levels and theassociated passwords are defined inthe object properties of thecpu. legitimating oneself with a configured password grantsaccessaccording to the associated protection level.table 2-1accesslevels restriction of accessfull access (no protection) hardwareconfiguration and blocks can be read andchanged by anyone.readaccess for f blocks (only with f-cpus) f blocks in the safetyprogram cannot be modifiedwithout legitimation with the passwordassociated withthis access level or a higher access level.readaccess this access level grants only write-protected access tothehardware configuration and the blocks unless thepassword isentered. without the password, thefollowing functions can beutilized:• read the hardware configuration and blocks• download thehardware configuration and blocksto the programming device• readdiagnostic data• display online/offline comparison results• set thetime• change operating mode (run/stop)the following functionscannot be run without enteringthe password:• download the blocksand hardware configurationto the cpu• write-based test functions•firmware update (online)hmi access this access level only allowsthe following when thepassword has not been entered:• hmi access•read diagnostic dataexample: with the "hmi access" access level,you cango online and display diagnostic icons for the statesofobjects.tags can be read and written via an hmi device.thefollowing functions cannot be run without enteringthe password:•download the blocks and hardware configurationto/from the cpu•display online/offline comparison results• change operating mode(run/stop)• write-based test functions• firmware update (online)2security mechanisms on the s7 cpusecurityarticle id: 90885010,v3.0, 11/2022 19© siemens ag 2022 all rights reservedaccess levelsrestriction of accessno access (complete protection) onlyidentification data can be read, e.g. via"accessiblesubscribers".with complete protection, the cpu forbids:• read andwrite access to the hardwareconfiguration and blocks• hmi access•modification in the server function forput/getcommunicationoperational performance with protection levelactivateda password-protected cpu behaves as follows when inoperation:• the cpu protection takes effect once the settings aredownloaded to the cpu and a newconnection has been established.•before an online function is executed, the necessary permission ischecked and, ifpassword-protected, the user is prompted to enter apassword.• the password-protected functions can only be executedfrom a programming device or pcat any given time. anotherprogramming device or pc cannot sign in with a password.• accesspermissions to the protected data apply while the online connectionis active, or untilthe access protection is removed manually via"online > delete access permissions".going online with apassword-protected cpugoing online with a password-protected cpurequires read access as of step 7 v14.therefore, you must enter thepassword for read access when you go online or, if no passwordwasconfigured for this, you must enter the password for full access.ifyou have a fully protected cpu and you only have a password for hmiaccess on hand,cancel the password prompt after the read accesspassword prompt. you will then be promptedto enter the password forhmi access. the permission for hmi access is not sufficient fortheonline/offline comparison, however. for this you will need readaccess permissions.noteconfiguring an access level is not areplacement for know-how protection.it prevents impropermodifications to the cpu by restricting download permissions.however,the blocks on the simatic memory card are neitherwrite-protected nor read-protected.know-how protection should beused to safeguard the program code.2 security mechanisms on the s7cpusecurityarticle id: 90885010, v3.0, 11/2022 20© siemens ag 2022all rights reserved2.3 block protectionvarious block protectionmechanisms are available in step 7 (tia portal) to protect theknowhow in the blocks' programs from unauthorized persons.2.3.1know-how protectionknow-how protection lets you guard blocks oftype ob, fb, fc and global data blocks againstunauthorized accessby using a password.take the following features into account withknow-how protection:• you cannot manually protect instance datablocks; they are dependent on the know-howprotection of theassociated fb. this means that when you generate an instance datablockfor a know-how-protected fb, the instance data block likewisereceives know-howprotection. this happens regardless of whether youexplicitly create the instance data blockor whether it wasgenerated by a block call.• with global data blocks, you cannotedit the start values and comments, but this is possiblewithinstance data blocks.• array data blocks cannot be provided withknow-how protection.• storage space re may be higher withknow-how-protected blocks.• during a comparison between the offlineand online version of know-how-protected blocks,only thenon-protected data are compared.• further access to the block isnot possible without a password.• when you add a know-how-protectedblock to a library, the resulting master copy alsoreceived know-howprotection.restrictionswith a know-how-protected block, only thefollowing data are readable without a password:• call parameters:input, output, inout, return, static• block title• block comment•block properties• tags of global data blocks, minus informationabout the location of usethe following actions can be carried outwith a know-how-protected block:• copying and deleting• calling ina program• offline/online comparison•downloadingreadmereferencesyou can find more information at thefollowing link: \7\ in chapter 4.3, specifically regarding:•setting up know-how protection for blocks• opening blocks protectedby know-how protection• removing know-how protection from blocks2security mechanisms on the s7 cpusecurityarticle id: 90885010,v3.0, 11/2022 21© siemens ag 2022 all rights reserved2.3.2 copyprotectioncopy protection links a program or blocks with a specificsimatic memory card or cpu. bylinking the serial number of asimatic memory card or cpu, use of the program or block in only possible in connection with this specific simatic memorycard or cpu.if a block with copy protection is downloaded to adevice whose serial number does not matchthe defined serial number,the download process will be rejected. however, this does notmeanthat blocks without copy protection cannot be downloaded.copyprotection is set up and the associated serial number is enteredvia the block properties.applications• if the program is bound tothe serial number of the cpu, use of tia portal to adjust theserialnumber is mandatory upon hardware replacement in the event of afault.• if the serial number is linked to the memory card, thehardware can be replaced and thememory card taken from the old cpu.due to the fact that the program is stored on thememory card, it isstill possible to ensure that the program only runs on onecpu.notewhen setting up copy protection for a block, it isimportant that this block also receive blockprotection. withoutknow-how protection, anyone could reset the copy protection.copyprotection must be set up prior to block protection. the copyprotection settings arewrite-protected when the block has know-howprotection.there are two options for adding the serial number:•manual entry of serial number:the serial number must be knownduring the engineering phase.• automatic assignment duringdownload:the serial number does not need to be known forengineering.during download to a new cpu, the password defined forcopy protection is re security mechanisms on the s7cpusecurityarticle id: 90885010, v3.0, 11/2022 22© siemens ag 2022all rights reserved2.3.3 write protectionset up write protectionfor blocks of type ob, fb or fc to prevent inadvertentmodifications.blocks with write protection can only be opened inread-only mode. however, you can still editthe block properties.there are no restrictions on diagnostics.notenote that writeprotection is not the same as know-how protection. when a block iswriteprotected, you cannot set up know-how protection on top ofthis. remove the block's writeprotection if you want to give itknow-how protection.2 security mechanisms on the s7cpusecurityarticle id: 90885010, v3.0, 11/2022 23© siemens ag 2022all rights reserved2.4 cpu integrity protectionintegrity refers tothe protection of data against unauthorized modification ordeletion.in the context of cpu security, this entails thefollowing:• protection of confidential cpu configuration data•protection of the cpu firmware signature2.4.1 protection ofconfidential plc configuration datatrouble-free functioning ofcertificate-based communication mechanisms for securecommunication(see chapter 2.1) requires that the private keys employed by thesecertificatesare protected as much as possible.as of tia portal v17,you can set up a user defined password to protect these keys andothersensitive data.password for protecting confidential cpuconfiguration datato protect the confidential configuration data ofthe cpu, for example certificates and privatekeys, enter thepassword in tia portal.the following figure is a simplifiedrepresentation of how confidential cpu configuration data(forexample a standard s7-1500 cpu) can be protected.figure 2-5 securememory concept12the project and key information is stored indifferent memory ranges during the initial download:1. the projectis stored in the load memory (simatic memory card).2. the keyinformation is stored in a memory range in the cpu. this key isused to read theconfidential configuration data on the simaticmemory card.for target systems such as s7-1200 cpus and softwarecontrollers with other storageconcepts, the implementation isadapted to fit the relevant storage concept. the principleremainsthe same, however.2 security mechanisms on the s7cpusecurityarticle id: 90885010, v3.0, 11/2022 24© siemens ag 2022all rights reservedtwo memory ranges for additional securitytheproject and the keys belong together like two interlocking puzzlepieces. the project islinked with the downloaded key information;the downloaded key information is in turn linkedwith the passwordthat was assigned during configuration. the project and keyinformation mustmatch, otherwise the cpu will not start.theprinciple of two separate memory ranges also applies for s7-1200cpus and s7-1500 cpuversions without a simatic memory card, forexample software controllers, plcsim orplcsim advanced. in theversions without a simatic memory card, two separate partitionsareused so that the two information elements can be managedindependently of one another.figure 2-6 secure memoryrangesreadmereferencesfurther information on setting up protectionof confidential plc configuration data, as well asthings to notewhen replacing the cpu, can be found at the following applicationexample link: