Controller-specific information on the 62443-4-2 compliance list
EDR 3.14
The PLCnext Control supports a software-based partial integrity and authenticity protection of the boot process. Before mounting the Linux file system, a system integrity check is performed. The boot loader, the kernel and certain files are not covered by this integrity check.
You can check the result of the integrity check here: Checking the integrity state.
The software-based partial integrity and authenticity protection of the boot process has been certified in the last three audits since 2021. With new CPUs now supporting hardware secure boot from the ROM, a new state of the art security technology is established. From version 2024.0, PLCnext Control devices do not longer fully comply with the EDR 3.14 requirements.
As the threat landscape evolves, more organizational security measures must be supervised to protect the device against tampering. Existing PLCnext Control devices will not be updated to a compliant integrity and authenticity protection of the boot process, as device replacement use cases can not be supported by compliant firmware versions. New PLCnext Control devices with new CPUs supporting hardware secure boot (EDR 3.14) are under development and are planned to be released to the market in 2025 and 2026, depending on the controller type.
The prerequisite is that the Security Profile is activated. Only use PLCnext Control devices in the security context with an activated Security Profile.
Before installing a project, ensure that the project integrity settings in the toolchain and PLCnext Engineer are active to protect it (Checking project data integrity ). Verify the integrity of the device's firmware and application by checking the local security logs and enabling syslog supervision by a network server to monitor access to the device: Security logging and Configuring central logging.
Follow all security advice in the PLCnext Technology ‑ Security Info Center:
- understanding the generic security concept
- security hardening
- configuring the firewall
- protecting the device against network attacks and physical access
OpenSSL
The OpenSSL library has been updated to version 3.0. The PLCnext Technology firmware uses this version only. For compatibility reasons the previous OpenSSL library (version 1.1.1) still exists in the file system. As this version is outdated, it will be removed in one of the next firmware releases. For applications (including PLCnext Technology Apps) which use the OpenSSL library, an update is recommended as soon as an application version is available, which uses OpenSSL 3.0.