Thank you, Tim, for this great video. Please keep them coming. Cheers

This was 100% spot on. If the customer pays tens of thousands of dollars for a plc project or machine, they should be able to work on it. I hate when vendors hold customers hostage with their own equipment. I have never and will never password protect any of my projects, as you said, there is nothing you have done in your code that hasnt been done before.

In the industry that my team and I work all PLCs are password protected in a similar way to the chemical plant example Tim mentioned. All connections to and modification of PLC, SCADA and OT ( Operational Technology) equipment is subject to a change control process for traceability and to ensure that all changes are authorised and fully documented.

I loved the reality you presented with password protection. Everybody has the best intent with password protecting something but then that midnight call comes around and the easiest option is to just give it up and let somebody else handle it. The chemical plant example was very interesting and you could almost omit passwords by having tight grips on your licenses for software; you can’t change the PLC if you don’t have the software or appropriate licenses.

Glad to hear you stuck to your guns despite Rockwell/distributors pressure to remove some of your content - it's a shame that they even think they can control that simply because "it doesn't fit THEIR branding"... Although I don't agree with the reasons you point out for password protecting PLCs (I support password protecting from the perspective of holistic security), I certainly appreciate and understand the customer's point of view. I can't speak for Rockwell, but I know Siemens has had ways to implement exactly what you are asking for around 9:09 mark... Although I don't think the PLC/software vendors (Rockwell, Siemens, etc.) should have anything to do with MANAGING that agreement/password between OEM and end user... Just my two cents - as always, thanks for the great content, Tim!

I realize this thread is a few years old, and I agree with Tim. However, today, there are now legal ramifications of NOT password protecting something (even if it is lame technology) when it CAN be password protected, simply for "due diligence." If a system was attacked, you want to be able to show that everything was done that could be done (again, even if it wouldn't help.) Otherwise...you're on the hook. Thanks Tim, I always appreciate your sound input.

In our industry many companies come and go or get bought out by other companies. When you have a piece of equipment for 20 years you own it- you should have full access to get in it and make the needed changes. It's more important to control who is allowed to look at and make changes in the programs within your organization than putting passwords on everything.

I have had PW problems before. The problem was that the company that manufactured the equipment went out of business years ago. I also had another PLC that was running a Micro800, and that was neat because they had parts of their code locked and other parts open. I still didn't like the PWs, but at least I could still back up the program and make some changes (though the VFD interface I actually wanted to fix was one of the things locked down). Now, any time I am in any way involved with a 3rd party PLC programmer I will always specify NO PASSWORDS!

What cracks my whip is when small one man integrators hold water systems hostage with password protected PLCs. They didn't know to ask for the program or password and so they are forced to pay someone else to reprogram the PLC. I agree, Tim... after getting past some of these passwords, the code behind them does not seem to be code anyone wants.

The machine series of plc from modicon have made passwords almost mandatory. According to them it was to answer new cyber security policies coming in the near future. It is good and bad but it is most certainly a sign of the times.

One big if about PLC passwords is if the OEM suddenly goes to the shadowrealm overnight, you're essentially screwed unless you can replicated the logic.

All I know is, every time a customer says the manufacturer wants to send a rep out and charge 200/hr plus flight time, hotels, etc... Just to change a timer. I always get a big smile on my face, make the changes, and hand them backups of their program. nothing worse than being blackmailed by a company who played nice until the support is needed (non-PLC - CAT and John Deere come to mind...)

Well put! I had a vender that would not include even the program never mind passwords without money up front. Needless to say we went with another vendor.

I had a program I wrote for a ML1200 open up as copy protected. Copy protection absolutely was not turned on. If Rockwell decides lo lock something due to their software being buggy... they should step up and unlock it.

What arguments against password protecting a PLC program would you use if a client told you that they want to password protect the programs for increased cyber security?

I see both sides of the issue. Sometimes it is wise to password protect a PLC that protects a critical machine such as a boiler that could explode and kill people if (as I see all the time) some dopey maintenance guy with a controls laptop tries to play controls engineer and just mucks it all up. A validated program such as in the pharmaceutical industry must be protected from changes after the validation process which would disqualify the validation. Also, as a freelance controls engineer, I will occasionally do work for a machine designer that may or may not decide to pay me. In that case I've put weeks of work into the program and want to be compensated for my time. Once the customer has paid I will remove the password by telling them I have to download the latest revision.

Excellent, I have a question for you. We lost the key to some programs, know how we can recover them? I have the 3 files "RSLogic 500" with the programs but it asks me for a password and we don't remember which one it was. How can you help us? Thank you!

My customer (OEM) wants it protected. Not my call.

Utterly infuriating. Open source is the only way it should be. If you aren’t ethical and copy people’s programming you should be exposed. But I’m tired of companies holding this stuff hostage.