Integrity check of downloaded software or firmware files

IEC 62443 requires mandatory integrity check of software or firmware downloaded via Internet against tampering attacks.

After downloading a setup file for any application (Windows®/Linux), a firmware file for a controller from the Internet or a  PLCnext Technology App from the PLCnext Store, prior to its installation you must verify that the file has not been corrupted or tampered. To do this, copy the published checksum string for the file before downloading the file from the provider's website, and save it to a plain text file.

Example for PLCnext Engineer by Phoenix Contact

After downloading the setup file, use a suitable tool (such as 7-Zip) to calculate a SHA256 checksum over the downloaded file. If the calculated SHA256 checksum is identical with the checksum published by the provider, you can execute the software setup file, or you can install the firmware on the controller.

Example for a PLCnext Technology App from the PLCnext Store

After downloading the PLCnext Technology App, compare the SHA-256 checksum from the download dialog. 

If the SHA-256 checksum is identical, the PLCnext Technology App can be executed.

Example using 7-Zip on Windows 

• With 7-Zip installed, right-click the downloaded file in the file explorer; for .zip files, do not unzip before checking.
• Select the context menu entry CRC SHA → SHA-256.
  
• Let 7-Zip calculate a checksum for the file, then copy that checksum under the one you picked from the provider's website and compare them. They need to be identical in each character.
• If the calculated SHA-256 checksum is identical, you can execute the software setup file, or you can install the firmware on the controller.