Integrity Check of Software Installations
When installing software tools that have been developed according to the IEC 62443 standard, checksums are calculated over the installation. Phoenix Contact supports this, for example, for PLCnext Engineer.
By verifying these checksums, manipulations of the installation and data corruption can be detected.
To comply with the IEC 62443 standard, you must continuously check the integrity of relevant software installations, such as PLCnext Engineer. For that purpose, use primarily a standard Windows tool.
Alternatively, you can use the ChecksumCalculator tool provided by Phoenix Contact or any other suitable tool.
Example: Installation check for PLCnext Engineer with the ChecksumCalculator tool
The ChecksumCalculator tool provides the possibility to calculate checksums over individual files as well as entire directories (including subfolders, if required). It can be executed for the installation directories thus delivering a checksum over the software installation.
In the following the use of the ChecksumCalculator is explained exemplarily for PLCnext Engineer.
After executed ChecksumCalculator for the PLCnext Engineer installation directory, the resulting CRCs consider the following tool settings:
- Settings made by Phoenix Contact such as available features and tool characteristics,
- as well as tool settings made by the administrator such as installed customer-specific certificates.
User settings (e.g., made in the 'Options' dialog) are not relevant for this kind of tamper detection as they do not result in any changes in the installation directory of PLCnext Engineer.
ChecksumCalculator is command-line oriented. ChecksumCalculator.exe -?
displays help information on the available arguments. Using the -o
argument you can write the resulting checksum(s) to a text file you can archive.
Proceed as follows:
- Exclude all files and/or subfolders in the PLCnext Engineer software installation from the checksum calculation which are modified during regular operation. Such files are possibly not accessible by the ChecksumCalculator during operation or no reliable tamper detection is possible as their checksums change frequently. ChecksumCalculator provides arguments for excluding files (
-x
) or entire folders (-X
). - Execute ChecksumCalculator initially after installing PLCnext Engineer and setting it up.
- Note down the resulting CRCs or archive the text file output by ChecksumCalculator.
- In the following, execute ChecksumCalculator regularly and compare the resulting checksums with the initially calculated and deposited CRCs.
This way, any modification of the PLCnext Engineer installation can be detected by means of a differing checksum.
• Published/reviewed: 2023-11-02 • Revision 011 •