How to protect Siemens PLC control program?
In the early stage of system design, developers should consider the protection of PLC control program from the system point of view:
1. The concept of T.I.A (Totally Integrated Automation) helps to protect our KNOW HOW
T.I.A realizes the high integration of configuration and programming, data management and communication, automation and drive products (including PLC controller, hmi human-machine interface, network, drive and other products). Practice has proved that the control system designed with T.I.A integrated concept is difficult to be copied. The same software platform, the same hardware composition, and the same bus communication can completely design completely different control systems. This is a platform for developers to play freely.
For example, two MM440 inverters and one CPU315-2DP perform PROFIBUS-DP communication. In addition to the regular data exchange between the PLC and the inverter, if the user uses the DRIVES ES engineering software, two Direct fast data exchange between MM440, in addition, more than 10 PZD process data exchanges between PLC and MM440 can be realized through DRIVES ES, and the function of batch downloading inverter parameters by PLC can be realized.
On the surface, the realization of all this does not change the hardware, and it is difficult for imitators to judge how the system controls the speed of the two drives from the hardware. A counterfeiter who is not familiar with Siemens products cannot easily change the hardware configuration or modify the software, and even if the counterfeiter is an expert in Siemens products, it is not easy to analyze the specific details alone.
To a certain extent, T.I.A has greatly raised the threshold for the technical level of imitators. There are not many technicians who have reached the level of Siemens system integration experts, and secondly, few are willing to do these despicable things. In addition, for OEM developers of some larger systems, routing and communication functions, iMAP software packages, etc. are very good T.I.A system functions or tools. The technical difficulty of imitation or plagiarism.
Second, use high-level language to write some important process programs
This is mainly for control equipment using S7-300400 or WINAC products, except for using LAD, STL, FBD provided by STEP 7 Standard programming language to develop control program, you can also use SCL, S7-GRAPH and other advancedlanguage to develop some important process programs, WINAC can also use the ODK software package to develop proprietary program blocks. It is not easy for ordinary imitators to obtain these development tools, and even if they do, they may not necessarily use them, let alone read and understand these programs. During the specific implementation of the project, we should consider the protection of the PLC control program from the perspective of software development skills:
1. The adoption of programming methods
a) Adopt a modular program structure, using symbolic names, parameters
b) S7-300400 adopts background data block and multi-background data transfer method as much as possible
c) Mostly uses indirect addressing programming method
d) The control program of complex system is especially It is some programs with sequence control or recipe control. Data programming can be considered, that is, the control logic or control sequence of the system can be changed through data changes.
The user should try to adopt the above-mentioned high-level programming methods, so that the protection encryption program embedded in the system is not easy to be found and
2. Active protection method
a) Use the system clock
b) Use the ID number and serial number of the program card or CPU
c) Use the anti-write function of EEPROM, and some memory retention functions that need to be set d) Use the system The accumulator function provided
e) Set the password in the data block of the user program
f) Set the logic trap on the software
g) You can reverse the mistakes you made in programming
3 .Passive protection method
a) Under the condition of memory capacity utilization permission, do not delete the program that is considered useless
b) Leave the developer’s logo in the data block, so that it can be identified in the future if it is infringed Forensics
4. Precautions for applying anti-
a) It should be natural to embed the protection program in the user program, and a program should not be added abruptly. The code should be as simple as possible, and the variable symbol name should be consistent with the variable embedded in the program segment
b) often One protection encryption method is not enough, multiple methods should be used together, and once these protection programs are activated, the consequences to the system should be as different as possible, resulting in the so-called “landmine effect”, thereby increasing the number of programs being blocked. > Difficulty, time and cost make plagiarists helpless in a short period of time.
c) Protect the original code of the program. If the program needs to be delivered, the delivered program should be done without affecting the user’s maintenance of the equipment. Appropriate technical processing, such as deleting part of the symbol name, using the uploaded program or data block
d) Do a strict test to avoid unnecessary troubles caused by malfunctions caused by imperfect protection programs, and at the same time It can also reduce the cost of after-sales service
Third, use the communication function
In actual work, you often encounter some problems that require data exchange between systems (such as PLC-PLC Between PLC and driver, between PLC and instrument), whether it is between Siemens products or between Siemens products and third-party products, it is recommended to use communication solutions instead of signal interconnection between analog or switch values plan. For the former, the imitator can only see a hardware communication line. As for how much data is exchanged through communication, the imitator must spend energy studying the specific user program to figure it out; for the latter, the developer is free from worry. It saves effort, and the imitator is also clear at a glance, with a panoramic view.
The communication between the PLC and the driver, in addition to the data communication of the control word status word, the set value feedback value and the process variable, the working parameters of the driver should also be downloaded by the PLC through the software, so that the end user can reduce the maintenance system At the same time, it can prevent imitators from analyzing the working principle and design ideas of the system, especially in terms of driving, through the working parameters of the driver.
Sometimes the control system is composed of multiple sub-control systems, thus forming a network with multiple CPUs and man-machine interfaces. Siemens S7-200 products commonly use PPI networks, and S7-300400 products commonly use MPI networks, usually Data exchange between the man-machine interface and the CPU, and we can also add some S7 basic communication functions that do not require configuration in the CPU user program (S7-200 can use the NETRNETW command, and S7-300400 can use X_PUTX_GET instruction), a small amount of data is exchanged between the CPUs regularly or irregularly, and the interlocking of the subsystem control logic is realized through these data. For such a system, it is not very easy for imitators to analyze the program of a certain subsystem.
Fourth, use panel-type man-machine interface
Try to use panel-type man-machine interface instead of a single button indicator light in the automation system, although the function of the button indicator light cannot It is confidential, but so far, there are not many products that can upload programs and decompile the panel-type human-machine interface. Developers can add obvious information such as the manufacturer’s logo and contact information on the screen of the panel. Don’t be so stupid as to copy this as it is.
This forces imitators to rewrite the program of the operation panel or even the program of the PLC, while the developer can use some special functional areas of the data interface of the panel and PLC (such as the area pointer of the Siemens panel, or VB script) to control PLC program execution. Such a PLC program can only rely on guessing and online monitoring to obtain the change logic of PLC internal variables without the HMI source program, which is time-consuming and laborious, and greatly increases the difficulty of imitation and plagiarism.