Cookies are important for this site to function properly, to guarantee your safety, and to provide you with the best experience. By clicking OK, you accept all cookies. For more information, please access our Privacy Policy.
Table of Contents
Tutorials / 
Securing your Projects and Programs in Siemens TIA Portal

Securing your Projects and Programs in Siemens TIA Portal

PLC Programming
Industrial Cybersecurity
TIA Portal


There are several types of threats that can affect an industrial system. For a long time, efforts were focused on the functional aspect of the system. However, with the rise of computer technologies and industry 4.0, industrial systems are more prone to software issues and cyber attacks.

To protect the system against different types of cyber failures, we use several levels or "layers" of protection.

In this tutorial, you will learn how to use the most basic layer of protection within the TIA Portal environment; The project and program protections. 


To follow this tutorial, you will need an installation of TIA Portal. We will use TIA Portal v17, but you can use any other version. No additional hardware or software is required.

Securing your project in TIA Portal

The first layer of protection is project protection. Access to your system's original project will grant you full access to your project's content, including critical process data and control.Securing it must always be your first step in securing your programs. Let’s start by creating a TIA Portal project. 

Open TIA Portal and click on “Create new project”, then give it a name and click on “Create”.

Figure 1.1: Create a new project in TIA Portal.

Then, click on “Configure a device” to add a CPU to the project.

Figure 1.2: Configure a device in TIA Portal.

Next, select the CPU you want. You can choose any model that meets your requirements. Here, we’re going to use a simple S7-1200C model. Once the CPU is selected, click on “Add.”

Figure 1.3: Select the CPU model.

We are now on the project view. On the left side of the screen is the “Project tree.” It shows the content of the project. To access the security options, open the “Security settings” folder. 

Figure 1.4: TIA Portal main view.

Next, click on “Settings.

Figure 1.5: Security settings’ location.

Now we are in the security settings of the project. It contains two tabs: 

  • The project protection tab allows you to define an administrator password for the entire project.
  • The password policies contain a set of rules the passwords must respect.
Figure 1.6: Security settings.

Click on “Password policies.”

Figure 1.7: Password policies.

Here, you can define the level of complexity the password must have (Ex: password length, mandatory numeric/special characters…etc.) and password conditions (Ex: number of reuse, password time validity ….etc.

Go to the “Project protection” tab and click “Protect this project.”

A small window will open asking you to define a username and password.

Figure 1.8: Defining an administrator user.

Keep in mind that this will be the administrator account. This means that logging in with these identifiers will grant you full access to the project. Make sure to define the user name and the password correctly and keep them in a safe place (you can, for example, use a password manager). Once done, click on “OK”.

Figure 1.9: Define an administrator user name and a password.

As you can see, the “protect this project” button became grey, meaning the project has been properly protected.

Please bring your attention to the “Security settings” folder in the Project tree.

You’ll notice that a new folder appeared inside named “Security features”.

Figure 1.10: The project is protected.

This folder contains further security options like defining a firewall or a VPN. These features will be treated in other upcoming tutorials. For now, just be aware that protecting your project gives you access to further security options.

Figure 1.11: Security features.

Now that we created an administrator user for the project. You can now create more users for this project. There may be multiple people working on the same project. Assigning a user to each one with the proper privileges is essential to prevent undesired modifications.

Click on “Users and roles.”

Figure 1.12: Users and roles.

You can notice that the admin user we created before is already here and has the “Engineering administrator” role. This setting gives the user total access to the project.

Click on “Assigned rights” to see all privileges this user has.

Figure 1.13 : Administrator rights.

Let’s add a new user. Click on “<add new user>”, then click on “add new local user”.

Figure 1.14: Adding a new local user.

There are two types of users you can create:

  • Local users: These users are local to the TIA project. 
  • Global users: These are centralized users you can synchronize with a UMC server (User Management Component).

Define a new local user, give it a name (for example Programmer) and a password, then in the “assigned roles” tab below select “Engineering standard’. 

Figure 1.15: Creating a standard user.

Go to the “Assigned rights” tab, you’ll notice that the “engineering standard” role has fewer rights than the administrator. Be sure to always assign the right role to the right user to prevent unwanted modifications.

Figure 1.16: Standard user rights.

Securing your programs in TIA Portal

Securing the project was the first layer of protection we added. However, this protection only prevents accessing or modifying the project itself. For example, It’s still possible for someone to connect to the PLC and download the program blocks inside. Hence, giving him access to your programs without the original project. 

In that case, we want to protect the program blocks, especially the most critical ones. For this, we will use the second layer of protection: the program block protections. 

Open the “Program blocks” folder in the project tree and right-click on “Main [OB1]”. Then, click on properties.

Figure 2.1: Opening the properties of the main program.

In the properties window, click on the “Protection” tab.

Figure 2.2: Main program properties.

You will notice three types of protection: 

  • The know-how protection: allows you to protect any OB, FC, FB, or global DB with a password. Opening the block or modifying its properties would require you to have the right password. (Note please that the know-how protection on FBs also applies to their associated DB)
  • Write protection: The know-how protection prevents accessing the block but does not prevent any unwanted modification. The write protection allows you to define a password for writing in the block. You can read the block but you can’t modify it without the “writing protection” password. 
  • Copy protection: This allows you to bind your program block to a specific memory card or CPU using a password or their serial number, which means these programs can be read or executed only in the bound memory card/CPU. This will prevent copying the program to another memory load.
Figure 2.3: Program block protection types.

Let’s start with the know-how protection. Click on “Protection”.

Figure 2.4: Know-how protection.

A small window will open asking you to define a password. Once done, click on “OK”.

Figure 2.5: Creating a password for know-how protection.

With the know-how protection activated, you’ll notice that it will become impossible to modify any block parameter, and opening block would require you to have the password.

Figure 2.6: The program block is protected.

You can remove the know-how protection or change the password by clicking on “Protection”. However, it will require you to have the actual password to do so.

Figure 2.7: How to change or remove the password of the know-how protection.

Next, the write protection. Click on “Define password”.

Figure 2.8: Write protection.

As for the know-how protection, a window will ask you to define a password.

Figure 2.9: Creating a password for the write protection.

Now with the writing password defined, click on the “Write protection” check box to activate the protection. It will ask you to enter the password to do so.

Figure 2.10: Activating the write protection.

Now the write protection is live. You can change the password or remove it the same way for know-how protection.

Figure 2.11: How to remove or change the password of the write protection.

Now to the last type of protection, the copy protection. First, define the type of biding you want to use by opening the scroll.

Figure 2.12: Select the type of binding.

Whether you choose to bind to the memory card or the CPU, you’ll have to either define a password or manually insert the serial number.

To use the password, click on “Define password” and proceed as we have done before.

Figure 2.13: Defining a password for the copy protection.

If you use this method, the binding will automatically occur when loading the program into the memory load (memory card or CPU).

Or you can also insert manually the serial number of the product you will use.

Figure 2.14: Entering the serial number.


In this tutorial, you learned the basics of securing your TIA projects and programs.

These are the first layers of protection you must use to ensure system integrity and reliability. 

Continuity of service is the most important aspect of the industry. Having your project and programs protected is the most basic way to assure avoiding malfunctions and machine breakdowns due to unwanted access or modifications. 

However, these methods alone are not sufficient. There many still many weak points that can be exploited that can affect your system’s reliability. The more layers of security you add, the more you decrease the probability of a failure. 

We will treat other types of protection in the upcoming tutorials.