Integrity check of downloaded software or firmware files

IEC 62443 requires mandatory integrity check of software or firmware downloaded via Internet against tampering attacks.

After downloading a setup file for any application (Windows/Linux) or a firmware file for a controller from the Internet, prior to its installation you must verify that the file has not been corrupted or tampered. To do this, copy the published checksum string for the file before downloading the file from the provider's website, and save it to a plain text file.

Example for PLCnext Engineer by Phoenix Contact

After downloading the setup file, use a suitable tool (such as 7-Zip) to calculate a SHA256 checksum over the downloaded file.  If the calculated SHA256 checksum is identical with the checksum published by the provider, the software setup file can be executed, or the firmware can be installed on the controller.

Example using 7-Zip on Windows 

• With 7-Zip installed, right-click the downloaded file in the File Explorer; for .zip files, do not unzip before checking.
• Select the context menu entry CRC SHA → SHA-256.
  
• Let 7-Zip calculate a checksum for the file, then copy that checksum under the one you picked from the provider's website and compare them. They need to be identical in each character.
• If the calculated SHA256 checksum is identical, the software setup file can be executed, or the firmware can be installed on the controller.