As we all know, many PLC programs can be decrypted via software. Once decrypted, the program is completely exposed to others. However, selling the equipment while locking the entire PLC program is impractical, as the client would be unable to maintain it. Furthermore, confidentiality and rights protection are perennial topics in the Chinese market. In fact, German engineers never encrypt their programs entirely. Instead, they use other methods that don't hinder troubleshooting while protecting their core secrets. Today, we'll introduce these methods for your reference.
1. Use the Knownow function of Siemens safety PLC or TIA Portal.
Siemens safety PLCs, as a flagship product of Siemens, boast unquestionable performance, and their encrypted program blocks are uncrackable, effectively protecting the core components. Meanwhile, Siemens TIA Portal PLCs, as the latest product from Siemens, also prioritize copyright protection. The KNOWHOW function employs dual hardware and software encryption; unencrypted blocks can be monitored normally, and without the password, it's impossible to download code to other PLCs. Therefore, using TIA Portal's KNOWHOW function allows for convenient program delivery to the client for maintenance while simultaneously protecting the core program from theft.
II. Use a high-level language to write some important process procedures.
In addition to the most basic LAD ladder diagram programming, FBD function block programming, and STL statement list programming, Siemens offers many other methods, such as PCS7 CFC and SFC; there are also SCL, S7-GRAPH, and so on. It's difficult for the average industrial control engineer to master all of these languages, significantly increasing the difficulty of replication. Therefore, critical process programs can be written in these languages, which also effectively protects the core components.
1. Programming approach adopted
a) Adopt a modular program structure, using symbolic names and parameterization to write subroutine blocks.
b) Use background data blocks and multiple backgrounds as much as possible for data transmission.
c) Programming methods that frequently employ indirect addressing
d) For control programs of complex systems, especially those with sequential control or recipe control, data programming can be considered, that is, changing the control logic or control sequence of the system by changing the data.
Users should try to use the above-mentioned advanced programming methods. This way, the programs they create will embed the system's protection and encryption programs, making them less likely to be discovered and copied.
2. Active protection methods
a) Utilizing the system clock
b) Using the program card or CPU's ID number and serial number
c) Utilize the EEPROM's reverse write function and some memory retention functions that require configuration. d) Utilize the system's provided accumulator function.
e) Set the password in the user program's data block.
f) Setting logical traps in the software
g) You can reverse the mistakes you made while programming.
3. Passive protection methods
a) Do not delete programs that are considered useless, provided that memory usage is within acceptable limits.
b) Leave the developer's identifier in the data block so that evidence can be collected in case of future infringement.
4. Precautions for applying anti-theft technology
a) Embedding protection code within user programs should appear natural, avoiding abruptly adding a piece of code. The code should be as concise as possible, and variable names should be consistent with those of the embedded code segment.
b) Often, one protection encryption method is insufficient; multiple methods should be used in combination. Furthermore, the consequences of activating these protection programs on the system should be as different as possible, creating a so-called "landmine effect." This increases the difficulty, time, and cost of program theft, rendering plagiarists helpless in the short term.
c) Protect the program's source code. If the program needs to be delivered, appropriate technical modifications should be made to the delivered program without affecting the user's equipment maintenance, such as deleting some symbol names or using uploaded program or data blocks.
d) Conduct rigorous testing to avoid unnecessary trouble caused by malfunctions due to imperfections in the protection program, and also to reduce after-sales service costs.
III. Using Communication Functions
In practical applications, there are often issues requiring data exchange between systems (between multiple PLCs, or between a PLC and a third-party instrument). Whether it's between Siemens products or between Siemens products and third-party products, it's recommended to use a communication solution instead of an analog or digital signal interconnection solution. For the former, a copycat can only see a hardware communication line; to understand how much data is exchanged and how, they must spend time studying the specific user program. For the latter, developers save time and effort, and copycats have a clear view of the entire process.
There are generally several ways to program inverters or servo motors, such as direct line control or communication control. Using communication control increases the difficulty of program replication. For example, PLCs can control servo drives in several ways, such as direct pulse control or analog control, which are easy to replicate. However, if communication control is used, the program becomes much more complex. In addition, if the replicator is not familiar with the messages, it will be difficult to replicate.
Sometimes a control system consists of multiple sub-control systems, forming a network with multiple CPUs and a human-machine interface (HMI). Siemens S7-200 products commonly use PPI networks, while S7-300/400 products commonly use MPI networks. This typically involves data exchange between the HMI and the CPU. We can also add some basic S7 communication functions (using the NETRNETW instruction for S7-200 and the X_PUTX_GET instruction for S7-300/400) to the CPU's user program without configuration, allowing for periodic or intermittent small-scale data exchange between CPUs. This data exchange enables interlocking of the subsystem control logic. For such systems, analyzing the program of a particular subsystem is not an easy task for a copyist.
IV. Human-machine interface using panel type
In automation systems, try to use panel-type human-machine interfaces instead of single buttons and indicator lights. Many human-machine interfaces, even without source code, only have backup and restore functions, which can fully realize maintenance functions while keeping the HMI layer of the program confidential. For a PLC system, even if you have the source code, it is very difficult to imitate if the HMI part is missing.
Furthermore, developers can add prominent manufacturer logos and contact information to the panel, preventing counterfeiters from copying it exactly.
If a counterfeiter wanted to copy the program, they would have to rewrite the control panel program and even the PLC program. Meanwhile, the developer could use special function areas of the panel and PLC data interface (such as area pointers on a Siemens panel or VB scripts) to control the PLC program execution. Without the HMI source code, such a PLC program would have to rely on guesswork and online monitoring to obtain the logic of changes in the PLC's internal variables, which is time-consuming and laborious, greatly increasing the difficulty of counterfeiting.
5. Using a non-standard human-computer interface
German engineers are willing to use this method.
In China, most engineers prefer to use WinCC, Intuition, or KingSCADA, but there's a more sophisticated approach: writing your own programs using VB. For the interface between the software and the PLC, you can choose Libraries or other libraries. This method of creating HMIs has many advantages. First, there are no copyright issues because VB is free. Second, upgrading the Windows system only requires adding a few files, unlike WinCC, which requires extensive file modifications if Windows is upgraded. Third, it's generally impossible for ordinary people to modify, let alone replicate; without strong computer programming skills, one wouldn't dare modify it easily, and even with basic computer skills, without a foundation in PLCs or process engineering, modification is impossible. I once built such a system using S7-300, but my purpose wasn't secrecy; it was a client requirement. The resulting system was entirely in my own style and very user-friendly.
Finally, I want to advise everyone not to over-exploit the integrity of China's industrial market. PLC technology should be used reasonably to protect core secrets, not excessively for other purposes. Improving the integrity issue in China's industrial market requires the efforts of everyone.
